Well, yes. If I register a new image with the path /datastores/0/<vmid>/deployment.0 I could get your vnc password, for example. Or if I point it to the context cdrom image, I could get some variables that may contain important information. And, of course, I could copy one of your images or running VM disks.
Cheers -- Join us at OpenNebulaConf2013 <http://opennebulaconf.com> in Berlin, 24-26 September, 2013 -- Carlos Martín, MSc Project Engineer OpenNebula - The Open-source Solution for Data Center Virtualization www.OpenNebula.org | cmar...@opennebula.org | @OpenNebula<http://twitter.com/opennebula><cmar...@opennebula.org> On Wed, Sep 11, 2013 at 2:05 PM, Gerry O'Brien <ge...@scss.tcd.ie> wrote: > Hi, > > By using /datastores instead of /var/lib/one/datastores, have I opened > a security hole? > > > > On 11/09/2013 12:51, Carlos Martín Sánchez wrote: > >> Hi, >> >> On Wed, Sep 11, 2013 at 1:06 PM, Gerry O'Brien <ge...@scss.tcd.ie> wrote: >> >> Hi Carlos, >>> >>> I appreciate the security issues. I'm just wondering why >>> /var/lib/one/datastores is not a safe directory by default given it is >>> the >>> default location for datastores? >>> >>> Oneadmin's home /var/lib/one is restricted by default, because it >> contains >> the one_auth file, the database one.db... And /var/lib/one/datastores must >> also be restricted, because a user should not be able to copy another >> registered image in there. I hope this makes sense. >> >> Cheers >> -- >> Join us at OpenNebulaConf2013 <http://opennebulaconf.com/> in Berlin, >> 24-26 >> >> September, 2013 >> -- >> Carlos Martín, MSc >> Project Engineer >> OpenNebula - The Open-source Solution for Data Center Virtualization >> www.OpenNebula.org <http://www.opennebula.org/> | cmar...@opennebula.org| >> @OpenNebula <http://twitter.com/opennebula**> <cmar...@opennebula.org> >> >> >> >> Regards, >>> Gerry >>> >>> >>> >>> On 11/09/2013 11:51, Carlos Martín Sánchez wrote: >>> >>> Hi, >>>> >>>> Tue Sep 10 14:32:48 2013 [ImM][E]: cp: Not allowed to copy images from >>>> >>>> /var/lib/one/ /etc/one/ /var/lib/one/ >>>>> >>>>> The dir /var/lib/one is a restricted dir, and OpenNebula won't allow >>>> you >>>> to >>>> copy images from there. Otherwise, you could copy the DB or other >>>> authentication files. That's why it works from /datastores. >>>> >>>> See [1] for more information. >>>> >>>> Best regards. >>>> >>>> [1] >>>> http://opennebula.org/****documentation:rel4.2:fs_ds#**<http://opennebula.org/**documentation:rel4.2:fs_ds#**> >>>> configuring_the_filesystem_****datastores<http://opennebula.** >>>> org/documentation:rel4.2:fs_**ds#configuring_the_filesystem_** >>>> datastores<http://opennebula.org/documentation:rel4.2:fs_ds#configuring_the_filesystem_datastores> >>>> > >>>> >>>> >>>> >>>> -- >>>> Join us at OpenNebulaConf2013 <http://opennebulaconf.com> in Berlin, >>>> 24-26 >>>> >>>> September, 2013 >>>> -- >>>> Carlos Martín, MSc >>>> Project Engineer >>>> OpenNebula - The Open-source Solution for Data Center Virtualization >>>> www.OpenNebula.org | cmar...@opennebula.org | >>>> @OpenNebula<http://twitter.****com/opennebula<http://twitter.** >>>> com/opennebula <http://twitter.com/opennebula>> >>>> >>>>> <cmartin@**opennebula.org <cmar...@opennebula.org>> >>>>> >>>> >>>> >>>> On Tue, Sep 10, 2013 at 4:59 PM, Gerry O'Brien <ge...@scss.tcd.ie> >>>> wrote: >>>> >>>> Hi, >>>> >>>>> This seems to be a general issue not specific to QCOW2. For the >>>>> moment >>>>> I've solved the issue by mounting the datastores (which are NFS exports >>>>> for >>>>> a filestore) on the root partition at /datastores and created a symlink >>>>> form /var/lib/one/datatstore to /datastores. >>>>> >>>>> Is this correct? >>>>> >>>>> Gerry >>>>> >>>>> >>>>> On 10/09/2013 14:38, Gerry O'Brien wrote: >>>>> >>>>> Hi, >>>>> >>>>>> I get the following error when trying to create an image from a >>>>>> QCOW2 >>>>>> file: "Error copying image in the datastore: Not allowed to copy >>>>>> image >>>>>> file /var/lib/one/datastores/1/******DELETEME.qcow2" >>>>>> >>>>>> >>>>>> Below are the commands I use to create the QCOW2 file before >>>>>> trying >>>>>> to create the image named DELETEME using oneimage. The QCOW2 file is >>>>>> has >>>>>> been created with a backing file. >>>>>> >>>>>> This used to work in Opennebula 3. I have made sure the use >>>>>> oneadmin >>>>>> is also in the cloud group in case it is some kind of permissions >>>>>> file. >>>>>> >>>>>> Any ideas? >>>>>> >>>>>> Regards, >>>>>> Gerry >>>>>> >>>>>> >>>>>> >>>>>> qemu-img create -f qcow2 -o backing_file=/var/lib/one/**** >>>>>> datastores/1/** >>>>>> e1e1735dada84a7c6290001b9a244e******be /var/lib/one/datastores/1/**** >>>>>> DELETEME.qcow2 >>>>>> >>>>>> qemu-img info /var/lib/one/datastores/1/******DELETEME.qcow2 >>>>>> image: /var/lib/one/datastores/1/******DELETEME.qcow2 >>>>>> >>>>>> >>>>>> file format: qcow2 >>>>>> virtual size: 50G (53687091200 bytes) >>>>>> disk size: 12K >>>>>> cluster_size: 65536 >>>>>> backing file: /var/lib/one/datastores/1/**** >>>>>> e1e1735dada84a7c6290001b9a244e***** >>>>>> *be >>>>>> >>>>>> >>>>>> >>>>>> ls -la /var/lib/one/datastores/1/******DELETEME.qcow2 >>>>>> >>>>>> >>>>>> -rw-r--r-- 1 oneadmin oneadmin 197632 Sep 10 13:27 >>>>>> /var/lib/one/datastores/1/******DELETEME.qcow2 >>>>>> >>>>>> >>>>>> >>>>>> oneimage create -d default --name DELETEME --path >>>>>> /var/lib/one/datastores/1/******DELETEME.qcow2 --prefix hd --type OS >>>>>> >>>>>> >>>>>> --driver qcow2 --persistent >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Below is a similar error message when using the sunstone GUI >>>>>> >>>>>> >>>>>> Tue Sep 10 14:32:48 2013 [ImM][I]: Copying >>>>>> /var/lib/one/datastores/1/** >>>>>> **VlabC_1.qcow2 >>>>>> >>>>>> to repository for image 37 >>>>>> Tue Sep 10 14:32:48 2013 [ReM][D]: Req:7232 UID:0 ImageAllocate result >>>>>> SUCCESS, 37 >>>>>> Tue Sep 10 14:32:48 2013 [ReM][D]: Req:4064 UID:0 ImageInfo invoked, >>>>>> 37 >>>>>> Tue Sep 10 14:32:48 2013 [ReM][D]: Req:4064 UID:0 ImageInfo result >>>>>> SUCCESS, "<IMAGE><ID>37</ID><U..." >>>>>> Tue Sep 10 14:32:48 2013 [ImM][I]: Command execution fail: >>>>>> /var/lib/one/remotes/******datastore/fs/cp >>>>>> PERTX0RSSVZFUl9BQ1RJT05fREFUQT >>>>>> **** >>>>>> 48SU1BR0U+******PElEPjM3PC9JRD48VUlEPjA8L1VJRD**** >>>>>> **48R0lEPjA8L0dJRD48VU5BTUU+** >>>>>> b25lYWRtaW48L1VOQU1FPjxHTkFNRT******5vbmVhZG1pbjwvR05BTUU+**** >>>>>> PE5BTUU+** >>>>>> UUNPVzItRXhhbXBsZTwvTkFNRT48UE******VSTUlTU0lPTlM+PE9XTkVSX1U+**** >>>>>> MTwvT1dORVJfVT48T1dORVJfTT4xPC********** >>>>>> 9PV05FUl9NPjxPV05FUl9BPjA8L09X****** >>>>>> TkVSX0E+PEdST1VQX1U+******MDwvR1JPVVBfVT48R1JPVVBfTT4wPC****** >>>>>> 9HUk9VUF9NPjxHUk9VUF9BPjA8L0dS******T1VQX0E+PE9USEVSX1U+** >>>>>> MDwvT1RIRVJfVT48T1RIRVJfTT4wPC********** >>>>>> 9PVEhFUl9NPjxPVEhFUl9BPjA8L09U**** >>>>>> **SEVSX0E+* >>>>>> *****PC9QRVJNSVNTSU9OUz48VFlQRT4yPC******9UWVBFPjxESVNLX1RZUEU+** >>>>>> MDwvRElTS19UWVBFPjxQRVJTSVNURU******5UPjE8L1BFUlNJU1RFTlQ+**** >>>>>> PFJFR1RJTUU+** >>>>>> MTM3ODgxOTk2ODwvUkVHVElNRT48U0********** >>>>>> 9VUkNFPjwvU09VUkNFPjxQQVRIPi92****** >>>>>> YXIvbGliL29uZS9kYXRhc3RvcmVzLz********** >>>>>> EvVmxhYkNfMS5xY293MjwvUEFUSD48****** >>>>>> RlNUWVBFPjwvRlNUWVBFPjxTSVpFPj******E8L1NJWkU+** >>>>>> PFNUQVRFPjQ8L1NUQVRFPjxSVU5OSU********** >>>>>> 5HX1ZNUz4wPC9SVU5OSU5HX1ZNUz48****** >>>>>> Q0xPTklOR19PUFM+******MDwvQ0xPTklOR19PUFM+******PENMT05JTkdfSUQ+** >>>>>> LTE8L0NMT05JTkdfSUQ+******PERBVEFTVE9SRV9JRD4xPC9EQVRBU1** >>>>>> ****RPUkVfSUQ+** >>>>>> PERBVEFTVE9SRT5kZWZhdWx0PC9EQV******RBU1RPUkU+** >>>>>> PFZNUz48L1ZNUz48Q0xPTkVTPjwvQ0********** >>>>>> xPTkVTPjxURU1QTEFURT48REVWX1BS >>>>>> >>>>>> RU >>>>>> >>>>> ZJWD48IVtDREFUQVtoZF1dPjwvREVW********** >>>>> X1BSRUZJWD48RFJJVkVSPjwhW0NEQV****** >>>>> >>>>>> RBW3Fjb3cyXV0+PC9EUklWRVI+******PC9URU1QTEFURT48L0lNQUdFPjxEQV****** >>>>>> RBU1RPUkU+PElEPjE8L0lEPjxVSUQ+******MDwvVUlEPjxHSUQ+** >>>>>> MDwvR0lEPjxVTkFNRT5vbmVhZG1pbj******wvVU5BTUU+** >>>>>> PEdOQU1FPm9uZWFkbWluPC9HTkFNRT********** >>>>>> 48TkFNRT5kZWZhdWx0PC9OQU1FPjxQ****** >>>>>> RVJNSVNTSU9OUz48T1dORVJfVT4xPC********** >>>>>> 9PV05FUl9VPjxPV05FUl9NPjE8L09X****** >>>>>> TkVSX00+PE9XTkVSX0E+******MDwvT1dORVJfQT48R1JPVVBfVT4xPC****** >>>>>> 9HUk9VUF9VPjxHUk9VUF9NPjA8L0dS******T1VQX00+PEdST1VQX0E+** >>>>>> MDwvR1JPVVBfQT48T1RIRVJfVT4xPC********** >>>>>> 9PVEhFUl9VPjxPVEhFUl9NPjA8L09U****** >>>>>> SEVSX00+PE9USEVSX0E+******MDwvT1RIRVJfQT48L1BFUk1JU1NJT0**** >>>>>> **5TPjxEU19NQUQ+** >>>>>> ZnM8L0RTX01BRD48VE1fTUFEPnNoYX********** >>>>>> JlZDwvVE1fTUFEPjxCQVNFX1BBVEg+****** >>>>>> L3Zhci9saWIvb25lL2RhdGFzdG9yZX********** >>>>>> MvMTwvQkFTRV9QQVRIPjxUWVBFPjA8**** >>>>>> **L1RZUEU+* >>>>>> *****PERJU0tfVFlQRT4wPC9ESVNLX1RZUE******U+PENMVVNURVJfSUQ+**** >>>>>> LTE8L0NMVVNURVJfSUQ+ >>>>>> **PENMVVNURVI+******PC9DTFVTVEVSPjxUT1RBTF9NQj4yMj**** >>>>>> **QwNzIzNjwvVE9UQUxfTUI+** >>>>>> PEZSRUVfTUI+******MjIzNjQ1MzI8L0ZSRUVfTUI+******PFVTRURfTUI+** >>>>>> NDI3MDc8L1VTRURfTUI+******PElNQUdFUz48SUQ+MDwvSUQ+** >>>>>> PElEPjE8L0lEPjxJRD4yPC9JRD48SU******Q+MzwvSUQ+**** >>>>>> PElEPjQ8L0lEPjxJRD4xNjwvSUQ+* >>>>>> *PElEPjIwPC9JRD48L0lNQU >>>>>> >>>>>> d >>>>>> >>>>> FUz48VEVNUExBVEU+******PERTX01BRD48IVtDREFUQVtmc11dPj**** >>>>> >>>>>> **wvRFNfTUFEPjxUTV9NQUQ+ >>>>>> **PCFbQ0RBVEFbc2hhcmVkXV0+******PC9UTV9NQUQ+PFRZUEU+** >>>>>> PCFbQ0RBVEFbSU1BR0VfRFNdXT48L1******RZUEU+**** >>>>>> PC9URU1QTEFURT48L0RBVEFTVE9SRT****** >>>>>> 48L0RTX0RSSVZFUl9BQ1RJT05fREFU******QT4= 37 >>>>>> >>>>>> >>>>>> Tue Sep 10 14:32:48 2013 [ImM][E]: cp: Not allowed to copy images from >>>>>> /var/lib/one/ /etc/one/ /var/lib/one/ >>>>>> Tue Sep 10 14:32:48 2013 [ImM][E]: Not allowed to copy image file >>>>>> /var/lib/one/datastores/1/******VlabC_1.qcow2 >>>>>> >>>>>> >>>>>> Tue Sep 10 14:32:48 2013 [ImM][I]: ExitCode: 255 >>>>>> Tue Sep 10 14:32:48 2013 [ImM][E]: Error copying image in the >>>>>> datastore: >>>>>> Not allowed to copy image file /var/lib/one/datastores/1/**** >>>>>> VlabC_1.qcow2 >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> >>>>> Gerry O'Brien >>>>> >>>>> Systems Manager >>>>> School of Computer Science and Statistics >>>>> Trinity College Dublin >>>>> Dublin 2 >>>>> IRELAND >>>>> >>>>> 00 353 1 896 1341 >>>>> >>>>> >>>>> ______________________________******_________________ >>>>> Users mailing list >>>>> Users@lists.opennebula.org >>>>> http://lists.opennebula.org/******listinfo.cgi/users-** >>>>> opennebula.****org<http://lists.opennebula.org/****listinfo.cgi/users-opennebula.****org> >>>>> <http://**lists.opennebula.org/****listinfo.cgi/users-opennebula.** >>>>> **org<http://lists.opennebula.org/**listinfo.cgi/users-opennebula.**org> >>>>> > >>>>> <http://lists.opennebula.****org/listinfo.cgi/users-**openn**ebula.org<http://opennebula.org> >>>>> <http://lists.**opennebula.org/listinfo.cgi/**users-opennebula.org<http://lists.opennebula.org/listinfo.cgi/users-opennebula.org> >>>>> > >>>>> >>>>> -- >>> Gerry O'Brien >>> >>> Systems Manager >>> School of Computer Science and Statistics >>> Trinity College Dublin >>> Dublin 2 >>> IRELAND >>> >>> 00 353 1 896 1341 >>> >>> ______________________________****_________________ >>> Users mailing list >>> Users@lists.opennebula.org >>> http://lists.opennebula.org/****listinfo.cgi/users-opennebula.****org<http://lists.opennebula.org/**listinfo.cgi/users-opennebula.**org> >>> <http://lists.opennebula.**org/listinfo.cgi/users-**opennebula.org<http://lists.opennebula.org/listinfo.cgi/users-opennebula.org> >>> > >>> >>> > > -- > Gerry O'Brien > > Systems Manager > School of Computer Science and Statistics > Trinity College Dublin > Dublin 2 > IRELAND > > 00 353 1 896 1341 > >
_______________________________________________ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org