Bugzilla – Bug 837817
VUL-1: CVE-2013-0326: openstack-nova: _base images permissions should not be world readable
Last modified: 2015-03-11 15:12:39 UTC
via rh bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=913377 CVE-2013-0326 Nir Magnezi of Red Hat reports: Description of problem: ======================= nova _base images permissions shouldn are world readable. I'd expect more strict Version-Release number of selected component (if applicable): ============================================================= Folsom. How reproducible: ================= 100% Steps to Reproduce: =================== 1. Run few instances and check the files created at /var/lib/nova/instances/_base 2. 3. Actual results: =============== nova _base images permissions are world readable. -rw-r--r--. 1 nova nova 241M Dec 31 12:16 f7e6702d38be6ef3a5a66812d56615252a7f1e04.part -rw-r--r--. 1 qemu qemu 9.8G Dec 31 12:17 f7e6702d38be6ef3a5a66812d56615252a7f1e04 -rw-r--r--. 1 qemu qemu 20G Dec 31 12:30 f7e6702d38be6ef3a5a66812d56615252a7f1e04_20 -rw-r--r--. 1 qemu qemu 40G Dec 31 12:37 f7e6702d38be6ef3a5a66812d56615252a7f1e04_40 -rw-r--r--. 1 nova nova 20G Dec 31 15:56 ephemeral_0_20_None -rw-r--r--. 1 qemu qemu 20G Dec 31 15:57 ephemeral_0_20_None_20 -rw-r--r--. 1 qemu qemu 160G Jan 1 11:28 f7e6702d38be6ef3a5a66812d56615252a7f1e04_160 -rw-r--r--. 1 nova nova 241M Jan 3 12:40 b7b22e1d8a012c9b53c28777f6669459e5524557.part -rw-r--r--. 1 nova nova 9.8G Jan 3 12:40 b7b22e1d8a012c9b53c28777f6669459e5524557 -rw-r--r--. 1 nova nova 0 Jan 3 12:40 b7b22e1d8a012c9b53c28777f6669459e5524557_20 -rw-r--r--. 1 nova nova 241M Jan 6 15:52 af7ca6734c34f038c8f65cd9c61cbcbb08bc6644.part -rw-r--r--. 1 nova nova 9.8G Jan 6 15:52 af7ca6734c34f038c8f65cd9c61cbcbb08bc6644 -rw-r--r--. 1 qemu qemu 20G Jan 6 15:53 af7ca6734c34f038c8f65cd9c61cbcbb08bc6644_20 Expected results: ================= nova _base images should be more strict
bugbot adjusting priority
Bug doesn't reference grizzly, so not sure it affects us...
It's still an issue with openstack-nova-2013.1.4.a22.g067fb93: # ls -la /var/lib/nova/instances/_base/ total 13215092 drwxr-xr-x 2 openstack-nova openstack-nova 4096 Nov 26 07:56 . drwxr-xr-x 10 openstack-nova root 4096 Nov 25 07:41 .. -rw-r--r-- 1 openstack-nova kvm 8589934592 Nov 28 13:20 4ec92f860a3314a12500d3df9c9296a2fe42cebb -rw-r--r-- 1 openstack-nova kvm 8590417920 Nov 28 13:20 ab1c3f945db58b9206466dcc2e9675548ce2ce6b -rw-r--r-- 1 openstack-nova kvm 8589934592 Nov 28 13:20 d7849e5793310d096787fef1443103458b59014a -rw-r--r-- 1 openstack-nova kvm 2147483648 Nov 28 13:20 fbae76ac03582c68e76ea5b519f4628ffa897668 Will investigate further...
any news here?
Both Grizzly and Havana are affected. We could go the same way as RedHat and only fix it in a future version. Permissions would only matter, if users could break out of kvm/xen or exploit other bugs to get some level of access to compute nodes but chances are that then they would have qemu or nova permissions anyway.
is fixed upstream, fix won't be backported because of low risk