On Wed, Aug 08, 2012 at 12:33:57AM -0400, Eric Windisch wrote: > > > > > > What's the security vulnerability here? Its writing to something which > > might be a symlink to somewhere special, right? > > > > Mounting filesystems tends to be a source of vulnerabilities in and of > itself. There are userspace tools as an alternative, but a standard OS > mount is clearly not secure. While libguestfs is such a userspace > alternative, and guestmount is in some ways safer than a standard mount, it > is not used by Nova in a way that has any clear advantage to a standard > mount as it runs as root. > > As this CVE indicates, injecting data into a mounted filesystem has its own > problems, whether or not that filesystem is mounted directly in-kernel or > via FUSE. There are also solutions here, some very complex, few if any are > foolproof. > > The solution here may be to use libguestfs, which seems to be a modern > alternative to mtools, but to use it as a non-privileged user and to forego > any illusions of mounting the filesystem anywhere via the kernel or FUSE.
Yes, ideally Nova would use the libguestfs API directly to inject files and stop using guestmount, at which point things are strongly confined, since every takes place inside a VM which can only see the guest FS. All files from the host are "uploaded" into the geust FS using a RPC mechanism. Even using the libguestfs API though, applications need to be somewhat careful about what they do. The libguestfs manpage highlights important security considerations: http://libguestfs.org/guestfs.3.html#security Also note that current work is being done to make libguestfs use libvirt to launch its appliance VMs, at which point libguestfs VMs will be strongly confined by sVirt (SELinux/AppArmour), and also able to run as a separate user ID. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : [email protected] Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
