[
https://issues.apache.org/jira/browse/CLOUDSTACK-6128?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13906582#comment-13906582
]
John Kinsella commented on CLOUDSTACK-6128:
-------------------------------------------
Just noticed snapshots and volumes directories on secondary storage are also
777. Making a note here in case it's not spotted in the code.
> Clean up over-permissive filesystem grants in Cloudstack
> --------------------------------------------------------
>
> Key: CLOUDSTACK-6128
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6128
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Reporter: John Kinsella
> Labels: security
> Fix For: 4.4.0
>
>
> It's not uncommon to find Java code and scripts in ACS that are
> over-permissive in their attempts to grant UNIX filesystem permissions. The
> following is an example from
> com.cloud.hypervisor.vmware.manager.VmwareManagerImpl.prepareSecondaryStorage:
> script.add("-R", "777", mountPoint);
> We should understand and document the UNIX user, group, and filesystem
> ownership requirements. If we truely need wide-open filesystem permissions,
> that too should be documented.
> Also, the code should not be blindly attempting to change filesystem
> permissions and ignoring the result of the attempts. Code should first check
> to see if a change is necessary, then make the necessary change, and then
> inspect the results, not display an error that may or may not impact proper
> execution of the system.
> </soapbox> ;)
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
