Bug 837817 (CVE-2013-0326) - VUL-1: CVE-2013-0326: openstack-nova: _base images permissions should not be world readable
Summary: VUL-1: CVE-2013-0326: openstack-nova: _base images permissions should not be...
Status: RESOLVED UPSTREAM
Alias: CVE-2013-0326
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Normal
Target Milestone: ---
Assignee: Vincent Untz
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-08-30 14:43 UTC by Marcus Meissner
Modified: 2015-03-11 15:12 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-08-30 14:43:40 UTC
via rh bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=913377

CVE-2013-0326

Nir Magnezi of Red Hat reports:

Description of problem:
=======================
nova _base images permissions shouldn are world readable.
I'd expect more strict

Version-Release number of selected component (if applicable):
=============================================================
Folsom.

How reproducible:
=================
100%

Steps to Reproduce:
===================
1. Run few instances and check the files created at /var/lib/nova/instances/_base
2.
3.
  
Actual results:
===============
nova _base images permissions are world readable.

-rw-r--r--. 1 nova nova 241M Dec 31 12:16 f7e6702d38be6ef3a5a66812d56615252a7f1e04.part
-rw-r--r--. 1 qemu qemu 9.8G Dec 31 12:17 f7e6702d38be6ef3a5a66812d56615252a7f1e04
-rw-r--r--. 1 qemu qemu  20G Dec 31 12:30 f7e6702d38be6ef3a5a66812d56615252a7f1e04_20
-rw-r--r--. 1 qemu qemu  40G Dec 31 12:37 f7e6702d38be6ef3a5a66812d56615252a7f1e04_40
-rw-r--r--. 1 nova nova  20G Dec 31 15:56 ephemeral_0_20_None
-rw-r--r--. 1 qemu qemu  20G Dec 31 15:57 ephemeral_0_20_None_20
-rw-r--r--. 1 qemu qemu 160G Jan  1 11:28 f7e6702d38be6ef3a5a66812d56615252a7f1e04_160
-rw-r--r--. 1 nova nova 241M Jan  3 12:40 b7b22e1d8a012c9b53c28777f6669459e5524557.part
-rw-r--r--. 1 nova nova 9.8G Jan  3 12:40 b7b22e1d8a012c9b53c28777f6669459e5524557
-rw-r--r--. 1 nova nova    0 Jan  3 12:40 b7b22e1d8a012c9b53c28777f6669459e5524557_20
-rw-r--r--. 1 nova nova 241M Jan  6 15:52 af7ca6734c34f038c8f65cd9c61cbcbb08bc6644.part
-rw-r--r--. 1 nova nova 9.8G Jan  6 15:52 af7ca6734c34f038c8f65cd9c61cbcbb08bc6644
-rw-r--r--. 1 qemu qemu  20G Jan  6 15:53 af7ca6734c34f038c8f65cd9c61cbcbb08bc6644_20

Expected results:
=================
nova _base images should be more strict
Comment 1 Swamp Workflow Management 2013-08-30 22:00:24 UTC
bugbot adjusting priority
Comment 2 Vincent Untz 2013-09-25 09:08:52 UTC
Bug doesn't reference grizzly, so not sure it affects us...
Comment 3 Sascha Peilicke 2013-11-28 13:39:40 UTC
It's still an issue with openstack-nova-2013.1.4.a22.g067fb93:

# ls -la /var/lib/nova/instances/_base/
total 13215092
drwxr-xr-x  2 openstack-nova openstack-nova       4096 Nov 26 07:56 .
drwxr-xr-x 10 openstack-nova root                 4096 Nov 25 07:41 ..
-rw-r--r--  1 openstack-nova kvm            8589934592 Nov 28 13:20 4ec92f860a3314a12500d3df9c9296a2fe42cebb
-rw-r--r--  1 openstack-nova kvm            8590417920 Nov 28 13:20 ab1c3f945db58b9206466dcc2e9675548ce2ce6b
-rw-r--r--  1 openstack-nova kvm            8589934592 Nov 28 13:20 d7849e5793310d096787fef1443103458b59014a
-rw-r--r--  1 openstack-nova kvm            2147483648 Nov 28 13:20 fbae76ac03582c68e76ea5b519f4628ffa897668

Will investigate further...
Comment 4 Marcus Meissner 2014-03-28 08:26:58 UTC
any news here?
Comment 5 Bernhard Wiedemann 2014-04-01 09:09:21 UTC
Both Grizzly and Havana are affected.
We could go the same way as RedHat
and only fix it in a future version.

Permissions would only matter,
if users could break out of kvm/xen or exploit other bugs
to get some level of access to compute nodes
but chances are that then they would have qemu or nova permissions anyway.
Comment 7 Johannes Segitz 2015-03-11 15:12:39 UTC
is fixed upstream, fix won't be backported because of low risk