Cinder

Bug #1260679
Comment #35

Comment 35 for bug 1260679

Revision history for this message

Duncan Thomas (duncan-thomas) wrote on 2014-01-30: Re: [Bug 1260679] Re: Multiple drivers set insecure file permissions

#35

For sensibly set up systems with common uids, you can just change the mask
to be 500 can't you? Adding that as a config option would enable many
people to secure their systems I think...
On Jan 29, 2014 6:01 PM, "Thierry Carrez" <email address hidden>
wrote:

> That's one option. We would issue an OSSN stating that those specific
> drivers have flaws in their design that make them vulnerable to local
> attacks, and encourage people to use different drivers.
>
> So 3 options, basically:
> 1- Fix in master and somehow backport the fix in a stable-branch-update
> compatoible and upgradeable way (?): issue OSSA
> 2- Fix in master but don't backport the fix: issue OSSN stating we fixed
> it in icehouse but the flawed design persists in <=Havana
> 3- Don't fix it but acknowledge the ongoing weakness in an OSSN (like what
> we did for internal cleartext communications between nodes)
>
> Option 3 could come with some deprecation plan for lousy drivers.
>
> --
> You received this bug notification because you are a member of Cinder
> Core security contacts, which is subscribed to the bug report.
> https://bugs.launchpad.net/bugs/1260679
>
> Title:
> Multiple drivers set insecure file permissions
>
> Status in Cinder:
> In Progress
> Status in Cinder grizzly series:
> New
> Status in Cinder havana series:
> New
> Status in OpenStack Security Advisories:
> Confirmed
>
> Bug description:
> GPFS from various places calls "chmod 666" as root:
>
> ./cinder/volume/drivers/gpfs.py: self._execute('chmod', '666',
> path, run_as_root=True)
> ./cinder/volume/drivers/gpfs.py: self._execute('chmod',
> '666', vol_path, run_as_root=True)
>
> the Huawei driver sets 777 permissions as root on some files:
>
> ./cinder/volume/drivers/huawei/ssh_common.py: utils.execute('chmod',
> '777', filepath, run_as_root=True)
> ./cinder/volume/drivers/huawei/rest_common.py: utils.execute('chmod',
> '777', filepath, run_as_root=True)
>
> the Scality driver sets 666 permissions on all volumes:
>
> cinder/volume/drivers/scality.py:
>
> def _create_file(self, path, size):
> with open(path, "ab") as f:
> f.truncate(size)
> os.chmod(path, 0o666)
>
> Similarly, the NFS and NEXENTA driver have an implementation of
>
> def _set_rw_permissions_for_all()
>
> that is being called on all newly created volumes.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/cinder/+bug/1260679/+subscriptions
>

> That's one option. We would issue an OSSN stating that those specific
> drivers have flaws in their design that make them vulnerable to local
> attacks, and encourage people to use different drivers.
>
> So 3 options, basically:
> 1- Fix in master and somehow backport the fix in a stable-branch-update
> compatoible and upgradeable way (?): issue OSSA
> 2- Fix in master but don't backport the fix: issue OSSN stating we fixed
> it in icehouse but the flawed design persists in <=Havana
> 3- Don't fix it but acknowledge the ongoing weakness in an OSSN (like what
> we did for internal cleartext communications between nodes)
>
> Option 3 could come with some deprecation plan for lousy drivers.
>
> --
> You received this bug notification because you are a member of Cinder
> Core security contacts, which is subscribed to the bug report.
> https://bugs.launchpad.net/bugs/1260679
>
> Title:
>   Multiple drivers set insecure file permissions
>
> Status in Cinder:
>   In Progress
> Status in Cinder grizzly series:
>   New
> Status in Cinder havana series:
>   New
> Status in OpenStack Security Advisories:
>   Confirmed
>
> Bug description:
>   GPFS from various places calls "chmod 666" as root:
>
>   ./cinder/volume/drivers/gpfs.py:        self._execute('chmod', '666',
> path, run_as_root=True)
>   ./cinder/volume/drivers/gpfs.py:            self._execute('chmod',
> '666', vol_path, run_as_root=True)
>
>   the Huawei driver sets 777 permissions as root on some files:
>
>   ./cinder/volume/drivers/huawei/ssh_common.py: utils.execute('chmod',
> '777', filepath, run_as_root=True)
>   ./cinder/volume/drivers/huawei/rest_common.py: utils.execute('chmod',
> '777', filepath, run_as_root=True)
>
>   the Scality driver sets 666 permissions on all volumes:
>
>   cinder/volume/drivers/scality.py:
>
>       def _create_file(self, path, size):
>           with open(path, "ab") as f:
>               f.truncate(size)
>           os.chmod(path, 0o666)
>
>   Similarly, the NFS and NEXENTA driver have an implementation of
>
>   def _set_rw_permissions_for_all()
>
>   that is being called on all newly created volumes.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/cinder/+bug/1260679/+subscriptions
>