yahoo-eng-team team mailing list archive

Thread
Date
[Bug 2083033] [NEW] The file permissions injected into the instance through Config Drive do not meet security regulations.

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Lucas <2083033@xxxxxxxxxxxxxxxxxx>
Date: Fri, 27 Sep 2024 12:49:43 -0000
Reply-to: Bug 2083033 <2083033@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Public bug reported:

Description
===========
I created an instance of the configuration driver in iso9660 format, and then logged in to the instance. I found that the permissions of the files and directories injected through the configuration driver were all 555. For example, 
ec2/2009-04-04/meta-data.json
ec2/2009-04-04/user-data
ec2/latest/meta-data.json
ec2/latest/user-data
openstack/2012-08-10/meta_data.json
openstack/2012-08-10/user_data
openstack/content
openstack/content/0000
openstack/content/0001
openstack/latest/meta_data.json
openstack/latest/user_data
If the data injected by the user contains sensitive information such as passwords and secret keys, and the file and directory permissions are not set appropriately, sensitive information may be leaked and security attacks may occur.

Steps to reproduce
==================
step1: I set config_drive_format=iso9660
step2: I created a flavor and image
step3: nova boot --image my_image --flavor my --nic net-name=config_net my_vm --config-drive true
step4: I logged in to the instance to view file and directory permissions

Expected result
===============
I would like to be able to set different file permissions based on different file types to meet security regulations. For example, the configuration directory is 750, the configuration file is 640, and the program files and directories are 550, etc.

Actual result
=============
The permissions of the files and directories injected through the configuration driver were all 555.

Environment
===========
1. version: nova 20.1.1
2. hypervisor:Libvirt + KVM
2. storage type: LVM
3. networking: Neutron with OpenVSwitch

** Affects: nova
     Importance: Undecided
         Status: New

** Summary changed:

- The file permissions injected into the virtual machine through Config Drive do not meet security requirements.
+ The file permissions injected into the virtual machine through Config Drive do not meet security regulations.

** Summary changed:

- The file permissions injected into the virtual machine through Config Drive do not meet security regulations.
+ The file permissions injected into the instance through Config Drive do not meet security regulations.

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/2083033

Title:
  The file permissions injected into the instance through Config Drive
  do not meet security regulations.

Status in OpenStack Compute (nova):
  New

Bug description:
  Description
  ===========
  I created an instance of the configuration driver in iso9660 format, and then logged in to the instance. I found that the permissions of the files and directories injected through the configuration driver were all 555. For example, 
  ec2/2009-04-04/meta-data.json
  ec2/2009-04-04/user-data
  ec2/latest/meta-data.json
  ec2/latest/user-data
  openstack/2012-08-10/meta_data.json
  openstack/2012-08-10/user_data
  openstack/content
  openstack/content/0000
  openstack/content/0001
  openstack/latest/meta_data.json
  openstack/latest/user_data
  If the data injected by the user contains sensitive information such as passwords and secret keys, and the file and directory permissions are not set appropriately, sensitive information may be leaked and security attacks may occur.

  Steps to reproduce
  ==================
  step1: I set config_drive_format=iso9660
  step2: I created a flavor and image
  step3: nova boot --image my_image --flavor my --nic net-name=config_net my_vm --config-drive true
  step4: I logged in to the instance to view file and directory permissions

  Expected result
  ===============
  I would like to be able to set different file permissions based on different file types to meet security regulations. For example, the configuration directory is 750, the configuration file is 640, and the program files and directories are 550, etc.

  Actual result
  =============
  The permissions of the files and directories injected through the configuration driver were all 555.

  Environment
  ===========
  1. version: nova 20.1.1
  2. hypervisor:Libvirt + KVM
  2. storage type: LVM
  3. networking: Neutron with OpenVSwitch

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/2083033/+subscriptions