yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1227027] Re: Insecure directory permissions with snapshot code

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Fri, 06 Dec 2013 15:54:57 -0000
Reply-to: Bug 1227027 <1227027@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Kurt: all confirmed, yes we need a CVE for this one. I suspect I should
post it to oss-security since it's public already ?

** Also affects: nova/grizzly
   Importance: Undecided
       Status: New

** Also affects: nova/havana
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1227027

Title:
  Insecure directory permissions with snapshot code

Status in OpenStack Compute (Nova):
  In Progress
Status in OpenStack Compute (nova) grizzly series:
  New
Status in OpenStack Compute (nova) havana series:
  New
Status in OpenStack Security Advisories:
  Triaged

Bug description:
  In the following commit:

  commit 46de2d1e2d0abd6fdcd4da13facaf3225c721f5e
  Author: Rafi Khardalian <rafi@xxxxxxxxxxxxx>
  Date:   Sat Jan 26 09:02:19 2013 +0000

      Libvirt: Add support for live snapshots
      
      blueprint libvirt-live-snapshots
      

  There was the following chunk of code

           snapshot_directory = CONF.libvirt_snapshots_directory
           fileutils.ensure_tree(snapshot_directory)
           with utils.tempdir(dir=snapshot_directory) as tmpdir:
               try:
                   out_path = os.path.join(tmpdir, snapshot_name)
  -                snapshot.extract(out_path, image_format)
  +                if live_snapshot:
  +                    # NOTE (rmk): libvirt needs to be able to write to the
  +                    #             temp directory, which is owned nova.
  +                    utils.execute('chmod', '777', tmpdir, run_as_root=True)
  +                    self._live_snapshot(virt_dom, disk_path, out_path,
  +                                        image_format)
  +                else:
  +                    snapshot.extract(out_path, image_format)

  Making the temporary directory 777 does indeed give QEMU and libvirt
  permission to write there, because it gives every user on the whole
  system permission to write there. Yes, the directory name is
  unpredictable since it uses 'tempdir', this does not eliminate the
  security risk of making it world writable though.

  This flaw is highlighted by the following public commit which makes
  the mode configurable, but still defaults to insecure 777.

  https://review.openstack.org/#/c/46645/

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1227027/+subscriptions