Multiple drivers set insecure file permissions
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
Fix Released
|
High
|
Ben Swartzlander | ||
OpenStack Security Notes |
Fix Released
|
High
|
Malini Bhandaru |
Bug Description
GPFS from various places calls "chmod 666" as root:
./cinder/
./cinder/
the Huawei driver sets 777 permissions as root on some files:
./cinder/
./cinder/
the Scality driver sets 666 permissions on all volumes:
cinder/
def _create_file(self, path, size):
with open(path, "ab") as f:
Similarly, the NFS and NEXENTA driver have an implementation of
def _set_rw_
that is being called on all newly created volumes.
Changed in ossa: | |
importance: | Medium → Undecided |
information type: | Private Security → Public |
tags: | added: security |
affects: | ossa → ossn |
Changed in ossn: | |
status: | Incomplete → New |
no longer affects: | cinder/grizzly |
no longer affects: | cinder/havana |
Changed in cinder: | |
importance: | Undecided → High |
Changed in ossn: | |
assignee: | nobody → Nathan Kinder (nkinder) |
Changed in ossn: | |
status: | New → In Progress |
Changed in ossn: | |
importance: | Undecided → High |
Changed in ossn: | |
assignee: | Nathan Kinder (nkinder) → nobody |
status: | In Progress → Confirmed |
Changed in ossn: | |
assignee: | nobody → Malini Bhandaru (malini-k-bhandaru) |
Changed in ossn: | |
status: | Confirmed → In Progress |
Changed in cinder: | |
assignee: | nobody → Glenn M. Gobeli (glenng) |
Changed in cinder: | |
assignee: | Glenn M. Gobeli (glenng) → Ben Swartzlander (bswartz) |
Changed in cinder: | |
assignee: | Ben Swartzlander (bswartz) → Eric Harney (eharney) |
Changed in cinder: | |
assignee: | Eric Harney (eharney) → Ben Swartzlander (bswartz) |
Changed in cinder: | |
status: | In Progress → Fix Released |
Sounds legit, unless those backends actually rely on 666/777 files to work properly (!?)
Probably needs a common OSSA with bug 1260680.