openstack team mailing list archive

[Michael Still <michael.still@xxxxxxxxxxxxx>]

On 08/08/12 11:08, Pádraig Brady wrote:

> If supporting either of the above cases, it would be great to
> reuse the existing image loopback mounting code:
> 
> virt.disk.setup_container(image_file)
> virt.disk.inject_file()
> other tweaks
> virt.disk.destroy_container(image_file)

This code doesn't seem to support _reading_ from the container though.
The current process (if you specify a glance image is):

- fetch image from glance
- mount it
- inject the data into it
- _copy_ the entire directory structure from the mounted image into the
config disk image

Its that final step that I think is hard with the containers code,
unless I am missing something.

What's the security vulnerability here? Its writing to something which
might be a symlink to somewhere special, right?

Would it be better for example to mount the image from glance, copy its
contents to the config disk image (skipping symlinks), and then umount
it? The data could then be written to the config disk instead of to the
image from glance. That would mean if there was a symlink pointing
somewhere special in the glance image it couldn't be exploited.

Mikal