[one-users] Security issue: world writable files

richard -rw- weinberger richard.weinberger at gmail.com
Sun Dec 11 04:48:18 PST 2011


Hi!

While reviewing OpenNebula's source (3.0.0) I found some craziness.
It seems to create world writable files and directories.

tm_mad/shared/tm_ln.sh:42:exec_and_log "chmod a+w $DST_DIR"
tm_mad/shared/tm_mkimage.sh:45:exec_and_log "chmod a+rw $DST_PATH"
tm_mad/shared/tm_clone.sh:44:exec_and_log "chmod a+w $DST_DIR"
tm_mad/shared/tm_clone.sh:60:exec_and_log "chmod a+rw $DST_PATH"
tm_mad/shared/tm_mkswap.sh:40:exec_and_log "chmod a+w $DST_DIR"
tm_mad/shared/tm_mkswap.sh:50:exec_and_log "chmod a+w $DST_PATH"
tm_mad/lvm/tm_mkimage.sh:38:exec_and_log "$SSH $DST_HOST chmod a+rw $DST_PATH"
tm_mad/lvm/tm_mkswap.sh:42:exec_and_log "$SSH $DST_HOST chmod a+w $DST_PATH"
tm_mad/ssh/tm_mkimage.sh:41:exec_and_log "$SSH $DST_HOST chmod a+rw $DST_PATH"
tm_mad/ssh/tm_clone.sh:60:exec_and_log "$SSH $DST_HOST chmod a+rw $DST_PATH"
tm_mad/ssh/tm_mkswap.sh:44:exec_and_log "$SSH $DST_HOST chmod a+w $DST_PATH"
vm/VirtualMachine.cc:154:    chmod(oss.str().c_str(), 0777);
vm/VirtualMachine.cc:153:    mkdir(oss.str().c_str(), 0777);
vmm_mad/remotes/kvm/save:27:    chmod 666 $file

This has to get fixed, it's security risk!

-- 
Thanks,
//richard


More information about the Users mailing list