[one-users] oneimage QCOW2 problem: Error copying image in the datastore: Not allowed to copy image file

Gerry O'Brien gerry at scss.tcd.ie
Wed Sep 11 05:05:04 PDT 2013


Hi,

     By using /datastores instead of /var/lib/one/datastores, have I 
opened a security hole?


On 11/09/2013 12:51, Carlos Martín Sánchez wrote:
> Hi,
>
> On Wed, Sep 11, 2013 at 1:06 PM, Gerry O'Brien <gerry at scss.tcd.ie> wrote:
>
>> Hi Carlos,
>>
>>      I appreciate the security issues. I'm just wondering why
>> /var/lib/one/datastores is not a safe directory by default given it is the
>> default location for datastores?
>>
> Oneadmin's home /var/lib/one is restricted by default, because it contains
> the one_auth file, the database one.db... And /var/lib/one/datastores must
> also be restricted, because a user should not be able to copy another
> registered image in there. I hope this makes sense.
>
> Cheers
> --
> Join us at OpenNebulaConf2013 <http://opennebulaconf.com/> in Berlin, 24-26
> September, 2013
> --
> Carlos Martín, MSc
> Project Engineer
> OpenNebula - The Open-source Solution for Data Center Virtualization
> www.OpenNebula.org <http://www.opennebula.org/> | cmartin at opennebula.org |
> @OpenNebula <http://twitter.com/opennebula> <cmartin at opennebula.org>
>
>
>
>>      Regards,
>>          Gerry
>>
>>
>>
>> On 11/09/2013 11:51, Carlos Martín Sánchez wrote:
>>
>>> Hi,
>>>
>>> Tue Sep 10 14:32:48 2013 [ImM][E]: cp: Not allowed to copy images from
>>>
>>>> /var/lib/one/ /etc/one/ /var/lib/one/
>>>>
>>> The dir /var/lib/one is a restricted dir, and OpenNebula won't allow you
>>> to
>>> copy images from there. Otherwise, you could copy the DB or other
>>> authentication files. That's why it works from /datastores.
>>>
>>> See [1] for more information.
>>>
>>> Best regards.
>>>
>>> [1]
>>> http://opennebula.org/**documentation:rel4.2:fs_ds#**
>>> configuring_the_filesystem_**datastores<http://opennebula.org/documentation:rel4.2:fs_ds#configuring_the_filesystem_datastores>
>>>
>>>
>>> --
>>> Join us at OpenNebulaConf2013 <http://opennebulaconf.com> in Berlin,
>>> 24-26
>>>
>>> September, 2013
>>> --
>>> Carlos Martín, MSc
>>> Project Engineer
>>> OpenNebula - The Open-source Solution for Data Center Virtualization
>>> www.OpenNebula.org | cmartin at opennebula.org |
>>> @OpenNebula<http://twitter.**com/opennebula<http://twitter.com/opennebula>
>>>> <cmartin@**opennebula.org <cmartin at opennebula.org>>
>>>
>>>
>>> On Tue, Sep 10, 2013 at 4:59 PM, Gerry O'Brien <gerry at scss.tcd.ie> wrote:
>>>
>>>   Hi,
>>>>       This seems to be a general issue not specific to QCOW2. For the
>>>> moment
>>>> I've solved the issue by mounting the datastores (which are NFS exports
>>>> for
>>>> a filestore) on the root partition at /datastores and created a symlink
>>>> form /var/lib/one/datatstore to /datastores.
>>>>
>>>>        Is this correct?
>>>>
>>>>               Gerry
>>>>
>>>>
>>>> On 10/09/2013 14:38, Gerry O'Brien wrote:
>>>>
>>>>   Hi,
>>>>>       I get the following error when trying to create an image from a
>>>>> QCOW2
>>>>> file:    "Error copying image in the datastore: Not allowed to copy
>>>>> image
>>>>> file /var/lib/one/datastores/1/****DELETEME.qcow2"
>>>>>
>>>>>       Below are the commands I use to create the QCOW2 file before trying
>>>>> to create the image named DELETEME using oneimage. The QCOW2 file is has
>>>>> been created with a backing file.
>>>>>
>>>>>       This used to work in Opennebula 3. I have made sure the use
>>>>> oneadmin
>>>>> is also in the cloud group in case it is some kind of permissions file.
>>>>>
>>>>>       Any ideas?
>>>>>
>>>>>           Regards,
>>>>>               Gerry
>>>>>
>>>>>
>>>>>
>>>>> qemu-img create -f qcow2 -o backing_file=/var/lib/one/****
>>>>> datastores/1/**
>>>>> e1e1735dada84a7c6290001b9a244e****be /var/lib/one/datastores/1/****
>>>>> DELETEME.qcow2
>>>>>
>>>>> qemu-img info /var/lib/one/datastores/1/****DELETEME.qcow2
>>>>> image: /var/lib/one/datastores/1/****DELETEME.qcow2
>>>>>
>>>>> file format: qcow2
>>>>> virtual size: 50G (53687091200 bytes)
>>>>> disk size: 12K
>>>>> cluster_size: 65536
>>>>> backing file: /var/lib/one/datastores/1/****
>>>>> e1e1735dada84a7c6290001b9a244e***
>>>>> *be
>>>>>
>>>>>
>>>>>
>>>>> ls -la /var/lib/one/datastores/1/****DELETEME.qcow2
>>>>>
>>>>> -rw-r--r-- 1 oneadmin oneadmin 197632 Sep 10 13:27
>>>>> /var/lib/one/datastores/1/****DELETEME.qcow2
>>>>>
>>>>>
>>>>>    oneimage create -d default --name DELETEME  --path
>>>>> /var/lib/one/datastores/1/****DELETEME.qcow2 --prefix hd --type OS
>>>>>
>>>>> --driver qcow2 --persistent
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Below is a similar error message when using the sunstone GUI
>>>>>
>>>>>
>>>>> Tue Sep 10 14:32:48 2013 [ImM][I]: Copying /var/lib/one/datastores/1/**
>>>>> **VlabC_1.qcow2
>>>>>
>>>>> to repository for image 37
>>>>> Tue Sep 10 14:32:48 2013 [ReM][D]: Req:7232 UID:0 ImageAllocate result
>>>>> SUCCESS, 37
>>>>> Tue Sep 10 14:32:48 2013 [ReM][D]: Req:4064 UID:0 ImageInfo invoked, 37
>>>>> Tue Sep 10 14:32:48 2013 [ReM][D]: Req:4064 UID:0 ImageInfo result
>>>>> SUCCESS, "<IMAGE><ID>37</ID><U..."
>>>>> Tue Sep 10 14:32:48 2013 [ImM][I]: Command execution fail:
>>>>> /var/lib/one/remotes/****datastore/fs/cp PERTX0RSSVZFUl9BQ1RJT05fREFUQT
>>>>> ****
>>>>> 48SU1BR0U+****PElEPjM3PC9JRD48VUlEPjA8L1VJRD**
>>>>> **48R0lEPjA8L0dJRD48VU5BTUU+**
>>>>> b25lYWRtaW48L1VOQU1FPjxHTkFNRT****5vbmVhZG1pbjwvR05BTUU+**PE5BTUU+**
>>>>> UUNPVzItRXhhbXBsZTwvTkFNRT48UE****VSTUlTU0lPTlM+PE9XTkVSX1U+**
>>>>> MTwvT1dORVJfVT48T1dORVJfTT4xPC******9PV05FUl9NPjxPV05FUl9BPjA8L09X****
>>>>> TkVSX0E+PEdST1VQX1U+****MDwvR1JPVVBfVT48R1JPVVBfTT4wPC****
>>>>> 9HUk9VUF9NPjxHUk9VUF9BPjA8L0dS****T1VQX0E+PE9USEVSX1U+**
>>>>> MDwvT1RIRVJfVT48T1RIRVJfTT4wPC******9PVEhFUl9NPjxPVEhFUl9BPjA8L09U**
>>>>> **SEVSX0E+*
>>>>> ***PC9QRVJNSVNTSU9OUz48VFlQRT4yPC****9UWVBFPjxESVNLX1RZUEU+**
>>>>> MDwvRElTS19UWVBFPjxQRVJTSVNURU****5UPjE8L1BFUlNJU1RFTlQ+****
>>>>> PFJFR1RJTUU+**
>>>>> MTM3ODgxOTk2ODwvUkVHVElNRT48U0******9VUkNFPjwvU09VUkNFPjxQQVRIPi92****
>>>>> YXIvbGliL29uZS9kYXRhc3RvcmVzLz******EvVmxhYkNfMS5xY293MjwvUEFUSD48****
>>>>> RlNUWVBFPjwvRlNUWVBFPjxTSVpFPj****E8L1NJWkU+**
>>>>> PFNUQVRFPjQ8L1NUQVRFPjxSVU5OSU******5HX1ZNUz4wPC9SVU5OSU5HX1ZNUz48****
>>>>> Q0xPTklOR19PUFM+****MDwvQ0xPTklOR19PUFM+****PENMT05JTkdfSUQ+**
>>>>> LTE8L0NMT05JTkdfSUQ+****PERBVEFTVE9SRV9JRD4xPC9EQVRBU1****RPUkVfSUQ+**
>>>>> PERBVEFTVE9SRT5kZWZhdWx0PC9EQV****RBU1RPUkU+**
>>>>> PFZNUz48L1ZNUz48Q0xPTkVTPjwvQ0******xPTkVTPjxURU1QTEFURT48REVWX1BS
>>>>>
>>>>>   RU
>>>>   ZJWD48IVtDREFUQVtoZF1dPjwvREVW******X1BSRUZJWD48RFJJVkVSPjwhW0NEQV****
>>>>> RBW3Fjb3cyXV0+PC9EUklWRVI+****PC9URU1QTEFURT48L0lNQUdFPjxEQV****
>>>>> RBU1RPUkU+PElEPjE8L0lEPjxVSUQ+****MDwvVUlEPjxHSUQ+**
>>>>> MDwvR0lEPjxVTkFNRT5vbmVhZG1pbj****wvVU5BTUU+**
>>>>> PEdOQU1FPm9uZWFkbWluPC9HTkFNRT******48TkFNRT5kZWZhdWx0PC9OQU1FPjxQ****
>>>>> RVJNSVNTSU9OUz48T1dORVJfVT4xPC******9PV05FUl9VPjxPV05FUl9NPjE8L09X****
>>>>> TkVSX00+PE9XTkVSX0E+****MDwvT1dORVJfQT48R1JPVVBfVT4xPC****
>>>>> 9HUk9VUF9VPjxHUk9VUF9NPjA8L0dS****T1VQX00+PEdST1VQX0E+**
>>>>> MDwvR1JPVVBfQT48T1RIRVJfVT4xPC******9PVEhFUl9VPjxPVEhFUl9NPjA8L09U****
>>>>> SEVSX00+PE9USEVSX0E+****MDwvT1RIRVJfQT48L1BFUk1JU1NJT0**
>>>>> **5TPjxEU19NQUQ+**
>>>>> ZnM8L0RTX01BRD48VE1fTUFEPnNoYX******JlZDwvVE1fTUFEPjxCQVNFX1BBVEg+****
>>>>> L3Zhci9saWIvb25lL2RhdGFzdG9yZX******MvMTwvQkFTRV9QQVRIPjxUWVBFPjA8**
>>>>> **L1RZUEU+*
>>>>> ***PERJU0tfVFlQRT4wPC9ESVNLX1RZUE****U+PENMVVNURVJfSUQ+****
>>>>> LTE8L0NMVVNURVJfSUQ+
>>>>> **PENMVVNURVI+****PC9DTFVTVEVSPjxUT1RBTF9NQj4yMj**
>>>>> **QwNzIzNjwvVE9UQUxfTUI+**
>>>>> PEZSRUVfTUI+****MjIzNjQ1MzI8L0ZSRUVfTUI+****PFVTRURfTUI+**
>>>>> NDI3MDc8L1VTRURfTUI+****PElNQUdFUz48SUQ+MDwvSUQ+**
>>>>> PElEPjE8L0lEPjxJRD4yPC9JRD48SU****Q+MzwvSUQ+****
>>>>> PElEPjQ8L0lEPjxJRD4xNjwvSUQ+*
>>>>> *PElEPjIwPC9JRD48L0lNQU
>>>>>
>>>>>   d
>>>>   FUz48VEVNUExBVEU+****PERTX01BRD48IVtDREFUQVtmc11dPj**
>>>>> **wvRFNfTUFEPjxUTV9NQUQ+
>>>>> **PCFbQ0RBVEFbc2hhcmVkXV0+****PC9UTV9NQUQ+PFRZUEU+**
>>>>> PCFbQ0RBVEFbSU1BR0VfRFNdXT48L1****RZUEU+****
>>>>> PC9URU1QTEFURT48L0RBVEFTVE9SRT****
>>>>> 48L0RTX0RSSVZFUl9BQ1RJT05fREFU****QT4= 37
>>>>>
>>>>> Tue Sep 10 14:32:48 2013 [ImM][E]: cp: Not allowed to copy images from
>>>>> /var/lib/one/ /etc/one/ /var/lib/one/
>>>>> Tue Sep 10 14:32:48 2013 [ImM][E]: Not allowed to copy image file
>>>>> /var/lib/one/datastores/1/****VlabC_1.qcow2
>>>>>
>>>>> Tue Sep 10 14:32:48 2013 [ImM][I]: ExitCode: 255
>>>>> Tue Sep 10 14:32:48 2013 [ImM][E]: Error copying image in the datastore:
>>>>> Not allowed to copy image file /var/lib/one/datastores/1/****
>>>>> VlabC_1.qcow2
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>   --
>>>> Gerry O'Brien
>>>>
>>>> Systems Manager
>>>> School of Computer Science and Statistics
>>>> Trinity College Dublin
>>>> Dublin 2
>>>> IRELAND
>>>>
>>>> 00 353 1 896 1341
>>>>
>>>>
>>>> ______________________________****_________________
>>>> Users mailing list
>>>> Users at lists.opennebula.org
>>>> http://lists.opennebula.org/****listinfo.cgi/users-opennebula.****org<http://lists.opennebula.org/**listinfo.cgi/users-opennebula.**org>
>>>> <http://lists.opennebula.**org/listinfo.cgi/users-**opennebula.org<http://lists.opennebula.org/listinfo.cgi/users-opennebula.org>
>>>>
>> --
>> Gerry O'Brien
>>
>> Systems Manager
>> School of Computer Science and Statistics
>> Trinity College Dublin
>> Dublin 2
>> IRELAND
>>
>> 00 353 1 896 1341
>>
>> ______________________________**_________________
>> Users mailing list
>> Users at lists.opennebula.org
>> http://lists.opennebula.org/**listinfo.cgi/users-opennebula.**org<http://lists.opennebula.org/listinfo.cgi/users-opennebula.org>
>>


-- 
Gerry O'Brien

Systems Manager
School of Computer Science and Statistics
Trinity College Dublin
Dublin 2
IRELAND

00 353 1 896 1341




More information about the Users mailing list