Files in Scality driver are created world readable/writable

Bug #1432003 reported by Travis McPeak
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Cinder
Won't Fix
Low
Unassigned
OpenStack Security Advisory
Won't Fix
Undecided
Unassigned

Bug Description

On this line in the Scality driver: https://github.com/openstack/cinder/blob/master/cinder/volume/drivers/scality.py#L124 files which are created by the utility function are set to word readable and writable. This function is utilized in the following cases:

- volume creation: https://github.com/openstack/cinder/blob/master/cinder/volume/drivers/scality.py#L156
- snapshot creation: https://github.com/openstack/cinder/blob/master/cinder/volume/drivers/scality.py#L178
- volume extension: https://github.com/openstack/cinder/blob/master/cinder/volume/drivers/scality.py#L289

While it's possible that these files are supposed to be created in a directory which is protected, files should always be restricted according to the principle of least privilege. If these files are created in a directory without restricted permissions, any user on the system can tamper with these volumes and snapshots.

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Can cinder-coresec please confirm if the parent directory protect the overly permissive file permission ?

Changed in ossa:
status: New → Incomplete
Revision history for this message
Travis McPeak (travis-mcpeak) wrote :

This vulnerability looks like it has existed since the Icehouse release.

Revision history for this message
Mike Perez (thingee) wrote :

Confirmed this in /var/lib/scality. I believe this should be fine.

Revision history for this message
Thierry Carrez (ttx) wrote :

If the parent directory is safe, this could be considered a strengthening opportunity (and not generate OSSA). If everyone agrees on that analysis, we could open this bug on Monday and make it a public strengthening bug.

Revision history for this message
Jay Bryant (jsbryant) wrote :

I am ok with that plan Thierry.

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :
Thierry Carrez (ttx)
information type: Private Security → Public
Revision history for this message
Jeremy Stanley (fungi) wrote :

Yes, this looks like security hardening, not an exploitable vulnerability.

Thierry Carrez (ttx)
tags: added: security
Changed in ossa:
status: Incomplete → Won't Fix
tags: added: drivers scality
Changed in cinder:
importance: Undecided → Low
Revision history for this message
Sean McGinnis (sean-mcginnis) wrote :

Scality driver has been removed.

Changed in cinder:
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.