Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close


Published: 5 December 2019

OpenStack nova base images permissions are world readable


/var/lib/nova/instances/_base/ apparently stores images with DAC
permissions set to 0644. Deferred while waiting for upstream to address
the issue -- I suspect the fix is simple, but the consequences may not be.
Ignoring. VMs are confined by AppArmor and are not able to read
each other's files. Even if this were not the case, the files would be
readable by the the libvirt-qemu:kvm user, so changing the permissions to
0640 would not help greatly. Therefore the protection would only be against
other users on the system and a typical production Nova installation will
not have these types of users or extra services. Furthermore, changing the
permissions in a security update could be disruptive to production systems
on upgrade.
no upstream fix as of 2014-05-05



CVSS 3 base score: 5.5


Package Release Status
Launchpad, Ubuntu, Debian
upstream Needed

lucid Does not exist

precise Ignored

quantal Ignored

saucy Ignored

trusty Does not exist
(trusty was ignored)