Prohibit file injection writing to host filesystem
This is a refinement of the previous fix in commit 2427d4a9,
which does the file name canonicalization as the root user.
This is required so that guest images could not for example,
protect malicious symlinks in a directory only readable by root.
Note this requires adding the 'readlink' binary to the
nova sudoers file.
Reviewed: https:/ /review. openstack. org/10953 github. com/openstack/ nova/commit/ ed89587d525e021 4cb367aa4632df4 5903c6ac09
Committed: http://
Submitter: Jenkins
Branch: stable/diablo
commit ed89587d525e021 4cb367aa4632df4 5903c6ac09
Author: Pádraig Brady <email address hidden>
Date: Tue Jul 31 14:34:19 2012 +0100
Prohibit file injection writing to host filesystem
This is a refinement of the previous fix in commit 2427d4a9,
which does the file name canonicalization as the root user.
This is required so that guest images could not for example,
protect malicious symlinks in a directory only readable by root.
Note this requires adding the 'readlink' binary to the
nova sudoers file.
Fixes bug: 1031311, CVE-2012-3447 e7451e1e13f73f1 313a7df9c5c
Change-Id: I7f7cdeeffadeba