Request #3498
Restrict RAW content
| Status: | Pending | Start date: | 01/14/2015 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% | |
| Category: | - | |||
| Target version: | - | |||
| Pull request: |
Description
Hello,
We use a virtfs for our test beds for communications between a jenkins and VMs.
I test with the following RAW:
RAW=[TYPE="kvm",DATA="
<devices>
<filesystem type='mount' accessmode='squash'>
<source dir='/' />
<target dir='root' />
</filesystem>
</devices>
"]
Then I can mount this virtfs in my VM and access the root of my hypervisor as user oneadmin:
root@ubuntu:~# mount -t 9p -o trans=virtio root /mnt/ -oversion=9p2000.L root@ubuntu:~# cat /mnt/etc/hostname nebula1 root@ubuntu:~# cat: /mnt/etc/shadow: Permission denied root@ubuntu:~# touch /mnt/var/lib/one/datastores/foo root@ubuntu:~# rm /mnt/var/lib/one/datastores/foo
So, I can run rm -rf /mnt/var/lib/one/datastores/ and destroy my infrastructure.
Is there a way to restrict the content of RAW?
History
#1
Updated by Carlos Martín over 6 years ago
Hi,
The contents cannot be restricted, but you can make RAW a restricted attribute, available only to administrators:
http://docs.opennebula.org/4.10/administration/references/oned_conf.html#restricted-attributes-configuration
As a matter of fact, I think we should make it one of the default restricted attributes.
Is this enough for your use case?
#2
Updated by EOLE Team over 6 years ago
Carlos Martín wrote:
The contents cannot be restricted, but you can make RAW a restricted attribute, available only to administrators:
http://docs.opennebula.org/4.10/administration/references/oned_conf.html#restricted-attributes-configurationAs a matter of fact, I think we should make it one of the default restricted attributes.
Is this enough for your use case?
Unfortunately not, normal users run templates with RAW section:
- to make “privative OS” working
- to access a virtfs under a dedicated directory
I thought about restricting the creation of template with RAW to admin users, but normal users must be able to run them.
#3
Updated by EOLE Team over 6 years ago
EOLE Team wrote:
Unfortunately not, normal users run templates with RAW section:
- to make “privative OS” working
- to access a virtfs under a dedicated directory
I thought about restricting the creation of template with RAW to admin users, but normal users must be able to run them.
My mistake:
If the VM template has been created by admins in the ‘’oneadmin’’ group, then users outside the ‘’oneadmin’’ group can instantiate these templates.
Requiring oneadmin membership is a bit limiting for us, I do not want to give oneadmin to the user responsible of creating templates :-/
#4
Updated by Stefan Kooman over 4 years ago
VM_RESTRICTED_ATTR = "RAW" is not enabled by default in oned.conf, and not even listed there. I would strongly opt to enable this by default, as it is the biggest security hole in ONE. Every user with "TEMPLATE:CREATE" or "TEMPLATE:MANAGE" permissions will have the posibility to pass hypervisor disks to guest VM's, obtain /etc/shadow, ssh pub / private keys of oneadmin, inflict a Denial of service. When ONE frontend is a VM on same infrastructure the whole cloud infra can be powned ...