Comment 5 for bug 1524274
Revision history for this message
| Matthew Booth (mbooth-9) wrote Re: Unprivileged api user can access host data using instance snapshot | #5 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
The bug is worse that I originally realised, as it also affects installations running on ceph, lvm and ploop. The only setup which is not affected is qcow2 on filesystem.
The issue with ceph, lvm and ploop is that their snapshot_extract does convert_image, which calls qemu-img convert. It specifies an output format but not an input format, which means that the input format is implictly auto-detected. It is worse still on lvm, because in that case qemu-img convert runs as root, so it can read any file or device on the host without restriction.
I have successfully exploited this on rbd.