yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1227027] Re: [OSSA 2014-001] Insecure directory permissions with snapshot code (CVE-2013-7048)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Alan Pevec <1227027@xxxxxxxxxxxxxxxxxx>
Date: Thu, 13 Feb 2014 19:18:48 -0000
Reply-to: Bug 1227027 <1227027@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: nova/havana
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1227027

Title:
  [OSSA 2014-001] Insecure directory permissions with snapshot code
  (CVE-2013-7048)

Status in OpenStack Compute (Nova):
  Fix Released
Status in OpenStack Compute (nova) grizzly series:
  Fix Committed
Status in OpenStack Compute (nova) havana series:
  Fix Released
Status in OpenStack Security Advisories:
  Fix Released

Bug description:
  In the following commit:

  commit 46de2d1e2d0abd6fdcd4da13facaf3225c721f5e
  Author: Rafi Khardalian <rafi@xxxxxxxxxxxxx>
  Date:   Sat Jan 26 09:02:19 2013 +0000

      Libvirt: Add support for live snapshots
      
      blueprint libvirt-live-snapshots
      

  There was the following chunk of code

           snapshot_directory = CONF.libvirt_snapshots_directory
           fileutils.ensure_tree(snapshot_directory)
           with utils.tempdir(dir=snapshot_directory) as tmpdir:
               try:
                   out_path = os.path.join(tmpdir, snapshot_name)
  -                snapshot.extract(out_path, image_format)
  +                if live_snapshot:
  +                    # NOTE (rmk): libvirt needs to be able to write to the
  +                    #             temp directory, which is owned nova.
  +                    utils.execute('chmod', '777', tmpdir, run_as_root=True)
  +                    self._live_snapshot(virt_dom, disk_path, out_path,
  +                                        image_format)
  +                else:
  +                    snapshot.extract(out_path, image_format)

  Making the temporary directory 777 does indeed give QEMU and libvirt
  permission to write there, because it gives every user on the whole
  system permission to write there. Yes, the directory name is
  unpredictable since it uses 'tempdir', this does not eliminate the
  security risk of making it world writable though.

  This flaw is highlighted by the following public commit which makes
  the mode configurable, but still defaults to insecure 777.

  https://review.openstack.org/#/c/46645/

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1227027/+subscriptions