[OSSA 2014-001] Insecure directory permissions with snapshot code (CVE-2013-7048)

Given that you've commented publically in that review "Setting console world readable/writable is a security flaw" I'm not sure there's much point to keeping this bug report private/embargoed. Do you concur?

Yep, unfortunately, when i commented to that effect I was thinking the code was only related to Michal's new console code, not realizing he was also touching this pre-existing code. So you're right that the cat is pretty much out of its bag by now.

Switched to public security based on the above confirmation.

Fix proposed to branch: master
Review: https://review.openstack.org/47634

I think it makes sense to have an OSSA on this (for Grizzly/havana). Thoughts ?

If we have hard-coded an expectation that libvirt and nova will run as separate users but both need to write to the same directory, the obvious solution is to use a group-writeable directory with a specific group to which only those two users belong (and optionally setgid if they'll be making subdirectories within it which they also need to share), though this may not be portable to non-POSIX filesystems (does libvirt run on those sorts of platforms?).

I think the approach attempted in https://review.openstack.org/46645 is on the right track, but instead of defaulting to an insecure behavior we should instead enlist the help of downstream packagers to see that an appropriate group gets created for this purpose and provide similar mitigation recommendations in an OSSA corresponding to introduction of the fixes in all affected branches.

The issue isn't sharing between libvirt & nova, it is sharing between QEMU & nova.

Having a the directory be group writable shared between Nova & QEMU is really not a good idea, because it opens up an avenue for a compromised QEMU to attack Nova.

IMHO, if Nova needs to access files that are owned by the QEMU user, then it should be using rootwrap or some other kind of helper, not try to make them writable by two different user accounts which are intended to be privilege separated.

I'll leave it up to the nova devs to decide whether the account separation at play there is intended to guard against symlink attacks launched between these roles, but regardless I agree it deserves an advisory once addressed.

Looks like a tricky backport again: both solutions (specific group and new rootwrap commands) rely on distros handling more than just a code update... a painful upgrade, and the impact of this vulnerability might make it a bad trade-off.

Unless nova can reuse existing rootwrap filters to achieve this, so that we don't actually need to update the rootwrap filters config files !

I've isolated the fix for this bug from the patch I was working on for bug 1129748 so it doesn't depend on any new rootwrap rule. With it the temporary directory is created with the correct permissions (751) and its contents (the images) are made only readable to the owner of the process by changing the file-creation mask for the whole snapshot method.

I think it should be easily backportable now.

Does this issue need a CVE?

Kurt: Probably. We don't usually request a CVE until we have a clear impact description and the patches which correct it in supported releases are mostly complete/ready to be reviewed, so that we don't have to go back later with revisions or retractions. If you're okay with us requesting CVEs before we're clear on the direction we're taking, we can probably see about revising our workflow ask for them earlier in the process.

@Xavier: do you have a master fix proposed somewhere already ?

Proposed impact description:

--------------------------------
Title: Nova live snapshots use an insecure local directory
Reporter: Daniel Berrange (Red Hat)
Products: Nova
Affects: Grizzly and later

Description:
Daniel Berrange from Red Hat reported that the directories used to temporarily store live snapshots on Nova compute nodes were writeable to all local users. A local attacker with shell access on compute nodes could therefore read and modify the contents of live snapshots before those are uploaded to the image service.

This impact description looks accurate to me.

@Thierry: I've the patch in gerrit, I don't know why the bug was not updated (I should have checked probably).

Upstream change is here: https://review.openstack.org/#/c/58852/

In the end is just about changing the directory's mode from 777 to 701, because libvirt only needs o+x for it to read/write on it.

Kurt: all confirmed, yes we need a CVE for this one. I suspect I should post it to oss-security since it's public already ?

Patch shall be backported once it hits the master branch.

@Xavier: feel free to propose backports yourself
See https://wiki.openstack.org/wiki/StableBranch#Proposing_Fixes

Fix proposed to branch: havana
Review: https://review.openstack.org/60548

Fix proposed to branch: grizzly
Review: https://review.openstack.org/60550

CVE requested

http://openwall.com/lists/oss-security/2013/12/11/6

CVE-2013-7048

We need to get the reviews restored, they got auto-abandoned over the holidays

Restored:
https://review.openstack.org/58852
https://review.openstack.org/60548
https://review.openstack.org/60550

Reviewed: https://review.openstack.org/58852
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=8a34fc3d48c467aa196f65eed444ccdc7c02f19f
Submitter: Jenkins
Branch: master

commit 8a34fc3d48c467aa196f65eed444ccdc7c02f19f
Author: Xavier Queralt <email address hidden>
Date: Wed Nov 27 20:44:36 2013 +0100

    Enforce permissions in snapshots temporary dir

    Live snapshots creates a temporary directory where libvirt driver
    creates a new image from the instance's disk using blockRebase.
    Currently this directory is created with 777 permissions making this
    directory accessible by all the users in the system.

    This patch changes the tempdir permissions so they have the o+x
    flag set, which is what libvirt needs to be able to write in it and

    Closes-Bug: #1227027
    Change-Id: I767ff5247b4452821727e92b668276004fc0f84d

stable/grizzly and stable/havana (grenade job running grizzly) look a bit borked right now, so I feel like we should publish advisory pointing to the reviews.

Agreed, until someone gets to the root of the grizzly breakage in bug 1266094 we're not going to have any hope of landing backports for grizzly or havana.

OSSA 2014-001

Reviewed: https://review.openstack.org/60548
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=75be5abd6b3fa0f7f27fe9c805f832cd41d44a5d
Submitter: Jenkins
Branch: stable/havana

commit 75be5abd6b3fa0f7f27fe9c805f832cd41d44a5d
Author: Xavier Queralt <email address hidden>
Date: Wed Nov 27 20:44:36 2013 +0100

    Enforce permissions in snapshots temporary dir

    Live snapshots creates a temporary directory where libvirt driver
    creates a new image from the instance's disk using blockRebase.
    Currently this directory is created with 777 permissions making this
    directory accessible by all the users in the system.

    This patch changes the tempdir permissions so they have the o+x
    flag set, which is what libvirt needs to be able to write in it and

    Closes-Bug: #1227027
    Change-Id: I767ff5247b4452821727e92b668276004fc0f84d
    (cherry picked from commit 8a34fc3d48c467aa196f65eed444ccdc7c02f19f)

Reviewed: https://review.openstack.org/60550
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=9bd7fff8c0160057643cfc37c5e2b1cd3337d6aa
Submitter: Jenkins
Branch: stable/grizzly

commit 9bd7fff8c0160057643cfc37c5e2b1cd3337d6aa
Author: Xavier Queralt <email address hidden>
Date: Wed Nov 27 20:44:36 2013 +0100

    Enforce permissions in snapshots temporary dir

    Live snapshots creates a temporary directory where libvirt driver
    creates a new image from the instance's disk using blockRebase.
    Currently this directory is created with 777 permissions making this
    directory accessible by all the users in the system.

    This patch changes the tempdir permissions so they have the o+x
    flag set, which is what libvirt needs to be able to write in it and

    Closes-Bug: #1227027
    Change-Id: I767ff5247b4452821727e92b668276004fc0f84d
    (cherry picked from commit 8a34fc3d48c467aa196f65eed444ccdc7c02f19f)