cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John Kinsella (JIRA)" <>
Subject [jira] [Commented] (CLOUDSTACK-6128) Clean up over-permissive filesystem grants in Cloudstack
Date Thu, 20 Feb 2014 04:03:19 GMT


John Kinsella commented on CLOUDSTACK-6128:

Just noticed snapshots and volumes directories on secondary storage are also 777. Making a
note here in case it's not spotted in the code.

> Clean up over-permissive filesystem grants in Cloudstack
> --------------------------------------------------------
>                 Key: CLOUDSTACK-6128
>                 URL:
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>            Reporter: John Kinsella
>              Labels: security
>             Fix For: 4.4.0
> It's not uncommon to find Java code and scripts in ACS that are over-permissive in their
attempts to grant UNIX filesystem permissions. The following is an example from
>         script.add("-R", "777", mountPoint);
> We should understand and document the UNIX user, group, and filesystem ownership requirements.
If we truely need wide-open filesystem permissions, that too should be documented.
> Also, the code should not be blindly attempting to change filesystem permissions and
ignoring the result of the attempts. Code should first check to see if a change is necessary,
then make the necessary change, and then inspect the results, not display an error that may
or may not impact proper execution of the system.
> </soapbox> ;)

This message was sent by Atlassian JIRA

View raw message