Request #3498

Restrict RAW content

Added by EOLE Team almost 6 years ago. Updated almost 4 years ago.

Status:PendingStart date:01/14/2015
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:-
Target version:-
Pull request:

Description

Hello,

We use a virtfs for our test beds for communications between a jenkins and VMs.

I test with the following RAW:

RAW=[TYPE="kvm",DATA=" 
    <devices>
        <filesystem type='mount' accessmode='squash'>
            <source dir='/' />
            <target dir='root' />
        </filesystem>
    </devices>
"]

Then I can mount this virtfs in my VM and access the root of my hypervisor as user oneadmin:

root@ubuntu:~# mount -t 9p -o trans=virtio root /mnt/ -oversion=9p2000.L
root@ubuntu:~# cat /mnt/etc/hostname 
nebula1
root@ubuntu:~# cat: /mnt/etc/shadow: Permission denied
root@ubuntu:~# touch /mnt/var/lib/one/datastores/foo
root@ubuntu:~# rm /mnt/var/lib/one/datastores/foo

So, I can run rm -rf /mnt/var/lib/one/datastores/ and destroy my infrastructure.

Is there a way to restrict the content of RAW?

History

#1 Updated by Carlos Martín almost 6 years ago

Hi,

The contents cannot be restricted, but you can make RAW a restricted attribute, available only to administrators:
http://docs.opennebula.org/4.10/administration/references/oned_conf.html#restricted-attributes-configuration

As a matter of fact, I think we should make it one of the default restricted attributes.

Is this enough for your use case?

#2 Updated by EOLE Team almost 6 years ago

Carlos Martín wrote:

The contents cannot be restricted, but you can make RAW a restricted attribute, available only to administrators:
http://docs.opennebula.org/4.10/administration/references/oned_conf.html#restricted-attributes-configuration

As a matter of fact, I think we should make it one of the default restricted attributes.

Is this enough for your use case?

Unfortunately not, normal users run templates with RAW section:

  • to make “privative OS” working
  • to access a virtfs under a dedicated directory

I thought about restricting the creation of template with RAW to admin users, but normal users must be able to run them.

#3 Updated by EOLE Team almost 6 years ago

EOLE Team wrote:

Unfortunately not, normal users run templates with RAW section:

  • to make “privative OS” working
  • to access a virtfs under a dedicated directory

I thought about restricting the creation of template with RAW to admin users, but normal users must be able to run them.

My mistake:

If the VM template has been created by admins in the ‘’oneadmin’’ group, then users outside the ‘’oneadmin’’ group can instantiate these templates.

Requiring oneadmin membership is a bit limiting for us, I do not want to give oneadmin to the user responsible of creating templates :-/

#4 Updated by Stefan Kooman almost 4 years ago

VM_RESTRICTED_ATTR = "RAW" is not enabled by default in oned.conf, and not even listed there. I would strongly opt to enable this by default, as it is the biggest security hole in ONE. Every user with "TEMPLATE:CREATE" or "TEMPLATE:MANAGE" permissions will have the posibility to pass hypervisor disks to guest VM's, obtain /etc/shadow, ssh pub / private keys of oneadmin, inflict a Denial of service. When ONE frontend is a VM on same infrastructure the whole cloud infra can be powned ...

Also available in: Atom PDF