Cinder

Files in Scality driver are created world readable/writable

Bug #1432003 reported by Travis McPeak on 2015-03-13

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Cinder	Won't Fix	Low	Unassigned
	OpenStack Security Advisory	Won't Fix	Undecided	Unassigned

Bug Description

On this line in the Scality driver: https://github.com/openstack/cinder/blob/master/cinder/volume/drivers/scality.py#L124 files which are created by the utility function are set to word readable and writable. This function is utilized in the following cases:

- volume creation: https://github.com/openstack/cinder/blob/master/cinder/volume/drivers/scality.py#L156
- snapshot creation: https://github.com/openstack/cinder/blob/master/cinder/volume/drivers/scality.py#L178
- volume extension: https://github.com/openstack/cinder/blob/master/cinder/volume/drivers/scality.py#L289

While it's possible that these files are supposed to be created in a directory which is protected, files should always be restricted according to the principle of least privilege. If these files are created in a directory without restricted permissions, any user on the system can tamper with these volumes and snapshots.

Tags:

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2015-03-13:

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Can cinder-coresec please confirm if the parent directory protect the overly permissive file permission ?

Changed in ossa:
status:	New → Incomplete

Revision history for this message

Travis McPeak (travis-mcpeak) wrote on 2015-03-17:

This vulnerability looks like it has existed since the Icehouse release.

Revision history for this message

Mike Perez (thingee) wrote on 2015-03-19:

Confirmed this in /var/lib/scality. I believe this should be fine.

Revision history for this message

Thierry Carrez (ttx) wrote on 2015-03-19:

If the parent directory is safe, this could be considered a strengthening opportunity (and not generate OSSA). If everyone agrees on that analysis, we could open this bug on Monday and make it a public strengthening bug.

Revision history for this message

Jay Bryant (jsbryant) wrote on 2015-03-20:

I am ok with that plan Thierry.

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2015-03-23:

I agree with a D class type of bug ( https://wiki.openstack.org/wiki/Vulnerability_Management#Incident_report_taxonomy )

Thierry Carrez (ttx) on 2015-03-23

information type:

Private Security → Public

Revision history for this message

Jeremy Stanley (fungi) wrote on 2015-03-23:

Yes, this looks like security hardening, not an exploitable vulnerability.

Thierry Carrez (ttx) on 2015-03-23

tags:	added: security
Changed in ossa:
status:	Incomplete → Won't Fix

Sean McGinnis (sean-mcginnis) on 2016-09-29

tags:	added: drivers scality
Changed in cinder:
importance:	Undecided → Low

Revision history for this message

Sean McGinnis (sean-mcginnis) wrote on 2017-12-18:

Scality driver has been removed.

Changed in cinder:
status:	New → Won't Fix

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.