cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daan Hoogland (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-6128) Clean up over-permissive filesystem grants in Cloudstack
Date Thu, 07 Aug 2014 09:28:12 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-6128?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14089058#comment-14089058
] 

Daan Hoogland commented on CLOUDSTACK-6128:
-------------------------------------------

John, I saw mails so I think something has been done, still marking it for future due to no
activity in the ticket

> Clean up over-permissive filesystem grants in Cloudstack
> --------------------------------------------------------
>
>                 Key: CLOUDSTACK-6128
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6128
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>            Reporter: John Kinsella
>              Labels: security
>             Fix For: Future
>
>
> It's not uncommon to find Java code and scripts in ACS that are over-permissive in their
attempts to grant UNIX filesystem permissions. The following is an example from com.cloud.hypervisor.vmware.manager.VmwareManagerImpl.prepareSecondaryStorage:
>         script.add("-R", "777", mountPoint);
> We should understand and document the UNIX user, group, and filesystem ownership requirements.
If we truely need wide-open filesystem permissions, that too should be documented.
> Also, the code should not be blindly attempting to change filesystem permissions and
ignoring the result of the attempts. Code should first check to see if a change is necessary,
then make the necessary change, and then inspect the results, not display an error that may
or may not impact proper execution of the system.
> </soapbox> ;)



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message