user permissions on directories

Bug #869235 reported by Chmouel Boudjnah on 2011-10-06
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Object Storage (swift)
Chmouel Boudjnah

Bug Description

Swift is creating directories with a umask(0) as seen in :

479: os.umask(0) # ensure files are created with the correct privileges

which create directories in word readable/writable (777) :

swift@storage03:/srv/node/sdb1$ ls -l
total 8
drwxrwxrwx 9 swift nogroup 94 2011-10-05 18:28 accounts/
drwxrwxrwx 21 swift nogroup 4096 2011-10-05 18:20 containers/
drwxrwxrwx 16 swift nogroup 4096 2011-10-05 18:34 objects/
drwxrwxrwx 2 swift nogroup 6 2011-10-05 18:34 tmp/

it would be nice it is created with the standard umask (022) or even a more secure one of 077

Fabrice Bacchella (fbacchella) wrote :

That will be useless with the rsync configuration given in

It gives remote write access to every one on the good network, even with a 077 umask, as rsync is running as swift

The configuration :

uid = swift
gid = swift
log file = /var/log/rsyncd.log
pid file = /var/run/

max connections = 2
path = /srv/node/
read only = false
lock file = /var/lock/account.lock

max connections = 2
path = /srv/node/
read only = false
lock file = /var/lock/container.lock

max connections = 2
path = /srv/node/
read only = false
lock file = /var/lock/object.lock

Changed in swift:
milestone: none → 1.4.4
status: New → In Progress
importance: Undecided → Medium
Chmouel Boudjnah (chmouel) wrote :

@Fabrice, I guess this is not for security but more for best practice there is much more than that to do if we assume we are not in a secured network environment.

Some companies have the requirement to install IDS that does file permission checking and have it world readable files would be pretty scary for those tools.

Changed in swift:
milestone: 1.4.4 → none
Changed in swift:
assignee: nobody → Chmouel Boudjnah (chmouel)
Chmouel Boudjnah (chmouel) wrote :
Changed in swift:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2012-02-09
Changed in swift:
milestone: none → 1.4.6
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers