Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 1034247

Summary: Cloud-Init: meta_data.json and user_data files on config-drive are world-readable
Product: Red Hat Enterprise Virtualization Manager Reporter: Pavel Novotny <pnovotny>
Component: ovirt-engineAssignee: Francesco Romani <fromani>
Status: CLOSED CURRENTRELEASE QA Contact: Pavel Novotny <pnovotny>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.3.0CC: acathrow, iheim, lpeer, mavital, michal.skrivanek, Rhev-m-bugs, sherold, s.kieske, yeylon
Target Milestone: ---   
Target Release: 3.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: virt
Fixed In Version: ovirt-3.4.0-alpha1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1078909, 1142926    

Description Pavel Novotny 2013-11-25 13:35:21 UTC
Description of problem:
When using Cloud-Init (via Run Once) for VM bootstrapping, the `user_data` and `meta_data.json` files on the config-drive have world readable permissions. Since they contain sensitive informations such as root password or SSH auth. key, they should not be readable for everyone.

Version-Release number of selected component (if applicable):
rhevm-3.3.0-0.35.beta1.el6ev.noarch (is24)

How reproducible:

Steps to Reproduce:
1. In Webadmin, have a VM and run it via Run Once with some values in Initial Run/Cloud-Init section.
2. On the host the VM is running, search the qemu process for the attached config-drive CD-ROM image (ps aux | grep [q]emu | grep cdrom). 
It looks like: 
-drive file=/var/run/vdsm/payload/d80627d0-04f4-48d5-9335-753354c2cc29.8

3. Mount the image and check permissions of the meta data and user data files:
# mount -t iso9660 -o loop /var/run/vdsm/payload/<config-drive>.img /mnt/cloud-init/
# ls -l /mnt/cloud-init/openstack/latest/

Actual results:
-r--r--r--. 1 root root 695 21. lis 17.33 meta_data.json
-r--r--r--. 1 root root 291 21. lis 17.33 user_data

Expected results:
The files should be readable only for root user, not for everyone.

Additional info:

Comment 1 Michal Skrivanek 2013-11-26 09:59:12 UTC
this is exposed in the VM as a CDROM so you need permissions for that so not a big deal. 
Fixing this would require extending the payload feature with user/group and permissions

Comment 2 Michal Skrivanek 2013-12-02 15:10:35 UTC
maybe just by default create a non world-readable files...

Comment 3 Pavel Novotny 2014-02-18 12:36:37 UTC
Verified upstream in ovirt-engine-3.4.0-0.7.beta2.el6.noarch.

Followed reproducer in comment 0 for verification.
The files on the attached config-drive are no longer world-readable:

# mount -t iso9660 -o loop /var/run/vdsm/payload/11b2841c-03bd-43d8-8d43-4ece2392fee8.62b0aaef2741993fc8bc89d3c3bc4f58.img /mnt/cloud-init/
# ls -l /mnt/cloud-init/openstack/latest/
-rw-r-----. 1 root root 252 Feb 18 11:59 meta_data.json
-rw-r-----. 1 root root 222 Feb 18 11:59 user_data

Comment 5 Itamar Heim 2014-06-12 14:08:37 UTC
Closing as part of 3.4.0