openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #15588
Re: [OSSA 2012-011] Compute node filesystem injection/corruption (CVE-2012-3447)
On 08/08/2012 05:37 AM, Eric Windisch wrote:
>
> Also notice that libguestfs is supported as an injection mechanism
> which mounts images in a separate VM, with one of the big advantages
> of that being better security.
>
>
> Are you sure about this? Reading the driver source, it appears to be using 'guestmount' as glue between libguestfs and FUSE. Worse, this is done as root. This mounts the filesystem in userspace on the host, but the userspace process runs as root. Because the filesystem is mounted, all reads and writes must also happen as root, leading to potential escalation scenarios.
>
> It does seem that libguestfs could be used securely, but it isn't.
The image is handled in a separate VM.
guestmount sets up communication with this VM.
cheers,
Pádraig.
References