nova config json owned by nova instead of root
Bug #1539388 reported by
Steven Dake
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kolla |
Invalid
|
Medium
|
Steven Dake |
Bug Description
this is a security risk, as a container breakout could alter the nova.conf in serious detrimental ways possibly even being able to root the entire data center by modifying nova's interaction with libvirt.
Changed in kolla: | |
status: | New → Confirmed |
importance: | Undecided → Critical |
milestone: | none → mitaka-3 |
assignee: | nobody → Steven Dake (sdake) |
To post a comment you must log in.
At the midcycle we determined there is no way to rectify this problem. We can rectify the rootwrap file ownershp problem however which we will do as part of the drop root blueprint.