Public bug reported:
Description
===========
I created an instance of the configuration driver in iso9660 format, and then
logged in to the instance. I found that the permissions of the files and
directories injected through the configuration driver were all 555. For
example,
ec2/2009-04-04/meta-data.json
ec2/2009-04-04/user-data
ec2/latest/meta-data.json
ec2/latest/user-data
openstack/2012-08-10/meta_data.json
openstack/2012-08-10/user_data
openstack/content
openstack/content/0000
openstack/content/0001
openstack/latest/meta_data.json
openstack/latest/user_data
If the data injected by the user contains sensitive information such as
passwords and secret keys, and the file and directory permissions are not set
appropriately, sensitive information may be leaked and security attacks may
occur.
Steps to reproduce
==================
step1: I set config_drive_format=iso9660
step2: I created a flavor and image
step3: nova boot --image my_image --flavor my --nic net-name=config_net my_vm
--config-drive true
step4: I logged in to the instance to view file and directory permissions
Expected result
===============
I would like to be able to set different file permissions based on different
file types to meet security regulations. For example, the configuration
directory is 750, the configuration file is 640, and the program files and
directories are 550, etc.
Actual result
=============
The permissions of the files and directories injected through the configuration
driver were all 555.
Environment
===========
1. version: nova 20.1.1
2. hypervisor:Libvirt + KVM
2. storage type: LVM
3. networking: Neutron with OpenVSwitch
** Affects: nova
Importance: Undecided
Status: New
** Summary changed:
- The file permissions injected into the virtual machine through Config Drive
do not meet security requirements.
+ The file permissions injected into the virtual machine through Config Drive
do not meet security regulations.
** Summary changed:
- The file permissions injected into the virtual machine through Config Drive
do not meet security regulations.
+ The file permissions injected into the instance through Config Drive do not
meet security regulations.
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/2083033
Title:
The file permissions injected into the instance through Config Drive
do not meet security regulations.
Status in OpenStack Compute (nova):
New
Bug description:
Description
===========
I created an instance of the configuration driver in iso9660 format, and then
logged in to the instance. I found that the permissions of the files and
directories injected through the configuration driver were all 555. For
example,
ec2/2009-04-04/meta-data.json
ec2/2009-04-04/user-data
ec2/latest/meta-data.json
ec2/latest/user-data
openstack/2012-08-10/meta_data.json
openstack/2012-08-10/user_data
openstack/content
openstack/content/0000
openstack/content/0001
openstack/latest/meta_data.json
openstack/latest/user_data
If the data injected by the user contains sensitive information such as
passwords and secret keys, and the file and directory permissions are not set
appropriately, sensitive information may be leaked and security attacks may
occur.
Steps to reproduce
==================
step1: I set config_drive_format=iso9660
step2: I created a flavor and image
step3: nova boot --image my_image --flavor my --nic net-name=config_net my_vm
--config-drive true
step4: I logged in to the instance to view file and directory permissions
Expected result
===============
I would like to be able to set different file permissions based on different
file types to meet security regulations. For example, the configuration
directory is 750, the configuration file is 640, and the program files and
directories are 550, etc.
Actual result
=============
The permissions of the files and directories injected through the
configuration driver were all 555.
Environment
===========
1. version: nova 20.1.1
2. hypervisor:Libvirt + KVM
2. storage type: LVM
3. networking: Neutron with OpenVSwitch
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/2083033/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
