OpenNebula

There is a SAFE_DIRS variable to list the directories that can be included in the PATH when creating an image. Is SAFE_DIRS not working for you?

I had no SAFE_DIRS variable in the CEPH datastore config. I have added SAFE_DIRS=/none in the datastore view of Sunstone, but I am still able to create an /etc/passwd-based DATABLOCK image in Sunstone as an ordinary user.

Reading the documentation further, RESTRICTED_DIRS=/ is probably what I want. Maybe it should be the default?

Anyway, I forgot an important thing: thanks very much for the fast reply!

Jan "Yenya" Kasprzak wrote:

I had no SAFE_DIRS variable in the CEPH datastore config. I have added SAFE_DIRS=/none in the datastore view of Sunstone, but I am still able to create an /etc/passwd-based DATABLOCK image in Sunstone as an ordinary user.

Reading the documentation further, RESTRICTED_DIRS=/ is probably what I want. Maybe it should be the default?

With RESTRICTED_DIRS=/ the image upload does not work, as Sunstone probably uploads them to /var/tmp/, and then copying to Ceph DS fails when it cannot access /var/tmp. Does it have a clean solution, for example a dedicated file-upload directory, which can then be marked as safe?

In NodeWeaver (that integrates OpenNebula) we have chosen the following approach:
- a dedicated /upload directory
- a Samba share that exposes that directory (so that you can upload large images in an efficient way)
- a small change in the sunstone frontend, so that the /upload/ path is prefixed in front of the path that is added by the user in the PATH field.

This prevents the user in adding other paths, or load images from unsafe places. We need to add a bit of safeguards as well (like escaping ..) but as an initial step works quite well.

To fix the upload problem you'll have to enable image imports from /var/tmp. Add to the datastore:

RESTRICTED_DIRS="/" 
SAFE_DIRS="/var/tmp" 

I think the configuration you mention should be the default. Anyway, it is more-or-less sufficient for deployments where there are no ordinary users on the oned/sunstone host. When it is not the case, ONe is full of insecure temporary file name security holes. For example, deployment scripts are created in /var/tmp/one by default. Maybe the default should be to use something like /var/lib/one/tmp, and set up the tmpwatch job to prune the old files periodically. In a similar way, there should be a separate directory to which Sunstone stores the file uploads, and (only) this directory should be in SAFE_DIRS by default.

What I want to say is that even though some hardening by configuration modifications is indeed possible, the secure configuration should be the default, not something a new ONe user has to discover.