yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #09024
[Bug 1227027] Re: [OSSA 2014-001] Insecure directory permissions with snapshot code (CVE-2013-7048)
** Changed in: ossa
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1227027
Title:
[OSSA 2014-001] Insecure directory permissions with snapshot code
(CVE-2013-7048)
Status in OpenStack Compute (Nova):
Fix Released
Status in OpenStack Compute (nova) grizzly series:
Fix Committed
Status in OpenStack Compute (nova) havana series:
Fix Committed
Status in OpenStack Security Advisories:
Fix Released
Bug description:
In the following commit:
commit 46de2d1e2d0abd6fdcd4da13facaf3225c721f5e
Author: Rafi Khardalian <rafi@xxxxxxxxxxxxx>
Date: Sat Jan 26 09:02:19 2013 +0000
Libvirt: Add support for live snapshots
blueprint libvirt-live-snapshots
There was the following chunk of code
snapshot_directory = CONF.libvirt_snapshots_directory
fileutils.ensure_tree(snapshot_directory)
with utils.tempdir(dir=snapshot_directory) as tmpdir:
try:
out_path = os.path.join(tmpdir, snapshot_name)
- snapshot.extract(out_path, image_format)
+ if live_snapshot:
+ # NOTE (rmk): libvirt needs to be able to write to the
+ # temp directory, which is owned nova.
+ utils.execute('chmod', '777', tmpdir, run_as_root=True)
+ self._live_snapshot(virt_dom, disk_path, out_path,
+ image_format)
+ else:
+ snapshot.extract(out_path, image_format)
Making the temporary directory 777 does indeed give QEMU and libvirt
permission to write there, because it gives every user on the whole
system permission to write there. Yes, the directory name is
unpredictable since it uses 'tempdir', this does not eliminate the
security risk of making it world writable though.
This flaw is highlighted by the following public commit which makes
the mode configurable, but still defaults to insecure 777.
https://review.openstack.org/#/c/46645/
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1227027/+subscriptions