damonb123 opened a new issue, #6867:
URL: https://github.com/apache/cloudstack/issues/6867
<!--
Verify first that your issue/request is not already reported on GitHub.
Also test if the latest release and main branch are affected too.
Always add information AFTER of these HTML comments, but no need to delete
the comments.
-->
##### ISSUE TYPE
* Bug Report
##### COMPONENT NAME
component:api
##### CLOUDSTACK VERSION
~~~
4.17
4.18
~~~
##### OS / ENVIRONMENT
Ubuntu
Rocky Linux 8
##### SUMMARY
In java code, NFS mounts are not consistently set to 1777 to prevent world
writable issues.
References to correct setting
```
./server/src/main/java/org/apache/cloudstack/storage/NfsMountManagerImpl.java:
script.add("1777", mountPoint);
./plugins/hypervisors/vmware/src/main/java/com/cloud/hypervisor/vmware/manager/VmwareManagerImpl.java:
script.add("1777", mountPoint);
```
#### Change 777 to 1777
####
./services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/resource/LocalNfsSecondaryStorageResource.java
```java
@Override
protected void mount(String localRootPath, String remoteDevice, URI uri,
String nfsVersion) {
ensureLocalRootPathExists(localRootPath, uri);
if (mountExists(localRootPath, uri)) {
return;
}
attemptMount(localRootPath, remoteDevice, uri, nfsVersion);
// Change permissions for the mountpoint - seems to bypass
authentication
Script script = new Script(true, "chmod", _timeout, s_logger);
script.add("777", localRootPath);
String result = script.execute();
if (result != null) {
String errMsg = "Unable to set permissions for " + localRootPath
+ " due to " + result;
s_logger.error(errMsg);
throw new CloudRuntimeException(errMsg);
}
s_logger.debug("Successfully set 777 permission for " +
localRootPath);
// XXX: Adding the check for creation of snapshots dir here. Might
have
// to move it somewhere more logical later.
checkForSnapshotsDir(localRootPath);
checkForVolumesDir(localRootPath);
}
```
####
./plugins/hypervisors/hyperv/src/main/java/com/cloud/hypervisor/hyperv/manager/HypervManagerImpl.java
```java
protected String mount(String path, String parent, String scheme, String
query) {
String mountPoint = setupMountPoint(parent);
if (mountPoint == null) {
s_logger.warn("Unable to create a mount point");
return null;
}
Script script = null;
String result = null;
if (scheme.equals("cifs")) {
String user = System.getProperty("user.name");
Script command = new Script(true, "mount", _timeout, s_logger);
command.add("-t", "cifs");
command.add(path);
command.add(mountPoint);
if (user != null) {
command.add("-o", "uid=" + user + ",gid=" + user);
}
if (query != null) {
query = query.replace('&', ',');
command.add("-o", query);
}
result = command.execute();
}
if (result != null) {
s_logger.warn("Unable to mount " + path + " due to " + result);
File file = new File(mountPoint);
if (file.exists()) {
file.delete();
}
return null;
}
// Change permissions for the mountpoint
script = new Script(true, "chmod", _timeout, s_logger);
script.add("-R", "777", mountPoint);
result = script.execute();
if (result != null) {
s_logger.warn("Unable to set permissions for " + mountPoint + "
due to " + result);
}
return mountPoint;
}
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
