OpenStack Object Storage (swift)

user permissions on directories

Bug #869235 reported by Chmouel Boudjnah on 2011-10-06

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Object Storage (swift)	Fix Released	Medium	Chmouel Boudjnah	OpenStack Object Storage (swift) 1.4.6

Bug Description

Swift is creating directories with a umask(0) as seen in :

swift/common/utils.py
479: os.umask(0) # ensure files are created with the correct privileges

which create directories in word readable/writable (777) :

swift@storage03:/srv/node/sdb1$ ls -l
total 8
drwxrwxrwx 9 swift nogroup 94 2011-10-05 18:28 accounts/
drwxrwxrwx 21 swift nogroup 4096 2011-10-05 18:20 containers/
drwxrwxrwx 16 swift nogroup 4096 2011-10-05 18:34 objects/
drwxrwxrwx 2 swift nogroup 6 2011-10-05 18:34 tmp/

it would be nice it is created with the standard umask (022) or even a more secure one of 077

Revision history for this message

Fabrice Bacchella (fbacchella) wrote on 2011-10-18:

That will be useless with the rsync configuration given in http://swift.openstack.org/howto_installmultinode.html

It gives remote write access to every one on the good network, even with a 077 umask, as rsync is running as swift

The configuration :

uid = swift
gid = swift
log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
address = $STORAGE_LOCAL_NET_IP

[account]
max connections = 2
path = /srv/node/
read only = false
lock file = /var/lock/account.lock

[container]
max connections = 2
path = /srv/node/
read only = false
lock file = /var/lock/container.lock

[object]
max connections = 2
path = /srv/node/
read only = false
lock file = /var/lock/object.lock

John Dickinson (notmyname) on 2011-10-31

Changed in swift:
milestone:	none → 1.4.4
status:	New → In Progress
importance:	Undecided → Medium

Revision history for this message

Chmouel Boudjnah (chmouel) wrote on 2011-11-02:

@Fabrice, I guess this is not for security but more for best practice there is much more than that to do if we assume we are not in a secured network environment.

Some companies have the requirement to install IDS that does file permission checking and have it world readable files would be pretty scary for those tools.

John Dickinson (notmyname) on 2011-11-17

Changed in swift:
milestone:	1.4.4 → none

Chmouel Boudjnah (chmouel) on 2012-01-19

Changed in swift:
assignee:	nobody → Chmouel Boudjnah (chmouel)

Revision history for this message

Chmouel Boudjnah (chmouel) wrote on 2012-02-02:

Merged => https://review.openstack.org/#change,1206

Changed in swift:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2012-02-09

Changed in swift:
milestone:	none → 1.4.6
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.