openstack team mailing list archive

Thread
Date

Re: [OSSA 2012-011] Compute node filesystem injection/corruption (CVE-2012-3447)

To: Eric Windisch <eric@xxxxxxxxxxxxxxxx>
From: Pádraig Brady <P@xxxxxxxxxxxxxx>
Date: Wed, 08 Aug 2012 10:47:05 +0100
Cc: Thierry Carrez <thierry@xxxxxxxxxxxxx>, "openstack@xxxxxxxxxxxxxxxxxxx" <openstack@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CALnZm-ZYCkZyGQ4vyKq7K6vPOSXaJqUc6mYV-mdVO6c3Q=zybw@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:6.0) Gecko/20110816 Thunderbird/6.0

On 08/08/2012 05:37 AM, Eric Windisch wrote:
> 
>     Also notice that libguestfs is supported as an injection mechanism
>     which mounts images in a separate VM, with one of the big advantages
>     of that being better security.
> 
> 
> Are you sure about this? Reading the driver source, it appears to be using 'guestmount' as glue between libguestfs and FUSE. Worse, this is done as root.  This mounts the filesystem in userspace on the host, but the userspace process runs as root.  Because the filesystem is mounted, all reads and writes must also happen as root, leading to potential escalation scenarios.
> 
> It does seem that libguestfs could be used securely, but it isn't.

The image is handled in a separate VM.
guestmount sets up communication with this VM.

cheers,
Pádraig.

References

[OSSA 2012-011] Compute node filesystem injection/corruption (CVE-2012-3447)
From: Thierry Carrez, 2012-08-07
Re: [OSSA 2012-011] Compute node filesystem injection/corruption (CVE-2012-3447)
From: Eric Windisch, 2012-08-07
Re: [OSSA 2012-011] Compute node filesystem injection/corruption (CVE-2012-3447)
From: Pádraig Brady, 2012-08-07
Re: [OSSA 2012-011] Compute node filesystem injection/corruption (CVE-2012-3447)
From: Eric Windisch, 2012-08-08