cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John Kinsella (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-6128) Clean up over-permissive filesystem grants in Cloudstack
Date Thu, 20 Feb 2014 04:03:19 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-6128?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13906582#comment-13906582
] 

John Kinsella commented on CLOUDSTACK-6128:
-------------------------------------------

Just noticed snapshots and volumes directories on secondary storage are also 777. Making a
note here in case it's not spotted in the code.


> Clean up over-permissive filesystem grants in Cloudstack
> --------------------------------------------------------
>
>                 Key: CLOUDSTACK-6128
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6128
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>            Reporter: John Kinsella
>              Labels: security
>             Fix For: 4.4.0
>
>
> It's not uncommon to find Java code and scripts in ACS that are over-permissive in their
attempts to grant UNIX filesystem permissions. The following is an example from com.cloud.hypervisor.vmware.manager.VmwareManagerImpl.prepareSecondaryStorage:
>         script.add("-R", "777", mountPoint);
> We should understand and document the UNIX user, group, and filesystem ownership requirements.
If we truely need wide-open filesystem permissions, that too should be documented.
> Also, the code should not be blindly attempting to change filesystem permissions and
ignoring the result of the attempts. Code should first check to see if a change is necessary,
then make the necessary change, and then inspect the results, not display an error that may
or may not impact proper execution of the system.
> </soapbox> ;)



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Mime
View raw message