Return-Path: 
 <issues-return-39077-apmail-cloudstack-issues-archive=cloudstack.apache.org@cloudstack.apache.org>
X-Original-To: apmail-cloudstack-issues-archive@www.apache.org
Delivered-To: apmail-cloudstack-issues-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 3A55710CD7
	for <apmail-cloudstack-issues-archive@www.apache.org>;
 Mon, 17 Feb 2014 17:00:34 +0000 (UTC)
Received: (qmail 33714 invoked by uid 500); 17 Feb 2014 17:00:33 -0000
Delivered-To: apmail-cloudstack-issues-archive@cloudstack.apache.org
Received: (qmail 33383 invoked by uid 500); 17 Feb 2014 17:00:25 -0000
Mailing-List: contact issues-help@cloudstack.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@cloudstack.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@cloudstack.apache.org>
List-Post: <mailto:issues@cloudstack.apache.org>
List-Id: <issues.cloudstack.apache.org>
Reply-To: dev@cloudstack.apache.org
Delivered-To: mailing list issues@cloudstack.apache.org
Received: (qmail 33363 invoked by uid 500); 17 Feb 2014 17:00:22 -0000
Delivered-To: apmail-incubator-cloudstack-issues@incubator.apache.org
Received: (qmail 33346 invoked by uid 99); 17 Feb 2014 17:00:22 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 17 Feb 2014 17:00:22 +0000
Date: Mon, 17 Feb 2014 17:00:22 +0000 (UTC)
From: "John Kinsella (JIRA)" <jira@apache.org>
To: cloudstack-issues@incubator.apache.org
Message-ID: <JIRA.12695552.1392656385832.53887.1392656422174@arcas>
In-Reply-To: <JIRA.12695552.1392656385832@arcas>
References: <JIRA.12695552.1392656385832@arcas>
Subject: [jira] [Created] (CLOUDSTACK-6128) Clean up over-permissive
 filesystem grants in Cloudstack
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394

John Kinsella created CLOUDSTACK-6128:
-----------------------------------------

             Summary: Clean up over-permissive filesystem grants in Cloudstack
                 Key: CLOUDSTACK-6128
                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6128
             Project: CloudStack
          Issue Type: Bug
      Security Level: Public (Anyone can view this level - this is the default.)
            Reporter: John Kinsella
             Fix For: 4.4.0


It's not uncommon to find Java code and scripts in ACS that are over-permissive in their attempts to grant UNIX filesystem permissions. The following is an example from com.cloud.hypervisor.vmware.manager.VmwareManagerImpl.prepareSecondaryStorage:

        script.add("-R", "777", mountPoint);

We should understand and document the UNIX user, group, and filesystem ownership requirements. If we truely need wide-open filesystem permissions, that too should be documented.

Also, the code should not be blindly attempting to change filesystem permissions and ignoring the result of the attempts. Code should first check to see if a change is necessary, then make the necessary change, and then inspect the results, not display an error that may or may not impact proper execution of the system.

</soapbox> ;)




--
This message was sent by Atlassian JIRA
(v6.1.5#6160)