[ https://issues.apache.org/jira/browse/CLOUDSTACK-6128?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14089058#comment-14089058 ]
Daan Hoogland commented on CLOUDSTACK-6128: ------------------------------------------- John, I saw mails so I think something has been done, still marking it for future due to no activity in the ticket > Clean up over-permissive filesystem grants in Cloudstack > -------------------------------------------------------- > > Key: CLOUDSTACK-6128 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6128 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Reporter: John Kinsella > Labels: security > Fix For: Future > > > It's not uncommon to find Java code and scripts in ACS that are > over-permissive in their attempts to grant UNIX filesystem permissions. The > following is an example from > com.cloud.hypervisor.vmware.manager.VmwareManagerImpl.prepareSecondaryStorage: > script.add("-R", "777", mountPoint); > We should understand and document the UNIX user, group, and filesystem > ownership requirements. If we truely need wide-open filesystem permissions, > that too should be documented. > Also, the code should not be blindly attempting to change filesystem > permissions and ignoring the result of the attempts. Code should first check > to see if a change is necessary, then make the necessary change, and then > inspect the results, not display an error that may or may not impact proper > execution of the system. > </soapbox> ;) -- This message was sent by Atlassian JIRA (v6.2#6252)