[one-users] Security issue: world writable files

Jaime Melis jmelis at opennebula.org
Wed Dec 14 08:21:18 PST 2011


Hello Richard,

you're right. At some point we had some issues with libvirt and kvm, and
the way they handle disk image files ownership and permissions, that's the
reason why we have those chmod's. However we can remove them provided that
the opennebula administrator configures libvirt properly to avoid these
problems, in particular, adding the following lines to
/etc/libvirt/qemu.conf:

----8<--------
user = "oneadmin"
group = "oneadmin"
dynamic_ownership = 0
---->8--------

We've opened a ticket to deal with this issue:
http://dev.opennebula.org/issues/1034

Thanks for reporting this.

Cheers,
Jaime

On Sun, Dec 11, 2011 at 1:48 PM, richard -rw- weinberger <
richard.weinberger at gmail.com> wrote:

> Hi!
>
> While reviewing OpenNebula's source (3.0.0) I found some craziness.
> It seems to create world writable files and directories.
>
> tm_mad/shared/tm_ln.sh:42:exec_and_log "chmod a+w $DST_DIR"
> tm_mad/shared/tm_mkimage.sh:45:exec_and_log "chmod a+rw $DST_PATH"
> tm_mad/shared/tm_clone.sh:44:exec_and_log "chmod a+w $DST_DIR"
> tm_mad/shared/tm_clone.sh:60:exec_and_log "chmod a+rw $DST_PATH"
> tm_mad/shared/tm_mkswap.sh:40:exec_and_log "chmod a+w $DST_DIR"
> tm_mad/shared/tm_mkswap.sh:50:exec_and_log "chmod a+w $DST_PATH"
> tm_mad/lvm/tm_mkimage.sh:38:exec_and_log "$SSH $DST_HOST chmod a+rw
> $DST_PATH"
> tm_mad/lvm/tm_mkswap.sh:42:exec_and_log "$SSH $DST_HOST chmod a+w
> $DST_PATH"
> tm_mad/ssh/tm_mkimage.sh:41:exec_and_log "$SSH $DST_HOST chmod a+rw
> $DST_PATH"
> tm_mad/ssh/tm_clone.sh:60:exec_and_log "$SSH $DST_HOST chmod a+rw
> $DST_PATH"
> tm_mad/ssh/tm_mkswap.sh:44:exec_and_log "$SSH $DST_HOST chmod a+w
> $DST_PATH"
> vm/VirtualMachine.cc:154:    chmod(oss.str().c_str(), 0777);
> vm/VirtualMachine.cc:153:    mkdir(oss.str().c_str(), 0777);
> vmm_mad/remotes/kvm/save:27:    chmod 666 $file
>
> This has to get fixed, it's security risk!
>
> --
> Thanks,
> //richard
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>



-- 
Jaime Melis
Project Engineer
OpenNebula - The Open Source Toolkit for Cloud Computing
www.OpenNebula.org | jmelis at opennebula.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20111214/43b2fffa/attachment-0002.htm>


More information about the Users mailing list