← Back to team overview

openstack team mailing list archive

Re: [OSSA 2012-011] Compute node filesystem injection/corruption (CVE-2012-3447)

 

On Wed, Aug 08, 2012 at 12:33:57AM -0400, Eric Windisch wrote:
> >
> >
> > What's the security vulnerability here? Its writing to something which
> > might be a symlink to somewhere special, right?
> >
> 
> Mounting filesystems tends to be a source of vulnerabilities in and of
> itself. There are userspace tools as an alternative, but a standard OS
> mount is clearly not secure. While libguestfs is such a userspace
> alternative, and guestmount is in some ways safer than a standard mount, it
> is not used by Nova in a way that has any clear advantage to a standard
> mount as it runs as root.
> 
> As this CVE indicates, injecting data into a mounted filesystem has its own
> problems, whether or not that filesystem is mounted directly in-kernel or
> via FUSE. There are also solutions here, some very complex, few if any are
> foolproof.
> 
> The solution here may be to use libguestfs, which seems to be a modern
> alternative to mtools, but to use it as a non-privileged user and to forego
> any illusions of mounting the filesystem anywhere via the kernel or FUSE.

Yes, ideally Nova would use the libguestfs API directly to inject files
and stop using guestmount, at which point things are strongly confined,
since every takes place inside a VM which can only see the guest FS.
All files from the host are "uploaded" into the geust FS using a RPC
mechanism.  Even using the libguestfs API though, applications need
to be somewhat careful about what they do. The libguestfs manpage
highlights important security considerations:

  http://libguestfs.org/guestfs.3.html#security

Also note that current work is being done to make libguestfs use
libvirt to launch its appliance VMs, at which point libguestfs VMs
will be strongly confined by sVirt (SELinux/AppArmour), and also
able to run as a separate user ID.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|


Follow ups

References