OpenNebula / one

The open source Cloud & Edge Computing Platform bringing real freedom to your Enterprise Cloud 🚀
http://opennebula.io
Apache License 2.0
1.24k stars 479 forks source link

Restrict RAW content #871

Closed OpenNebulaProject closed 5 years ago

OpenNebulaProject commented 6 years ago

Author Name: EOLE Team (EOLE Team) Original Redmine Issue: 3498, https://dev.opennebula.org/issues/3498 Original Date: 2015-01-14


Hello,

We use a virtfs for our test beds for communications between a jenkins and VMs.

I test with the following RAW:

RAW=[TYPE="kvm",DATA="
    <devices>
        <filesystem type='mount' accessmode='squash'>
            <source dir='/' />
            <target dir='root' />
        </filesystem>
    </devices>
"]

Then I can mount this virtfs in my VM and access the root of my hypervisor as user @oneadmin@:

root@ubuntu:~# mount -t 9p -o trans=virtio root /mnt/ -oversion=9p2000.L
root@ubuntu:~# cat /mnt/etc/hostname 
nebula1
root@ubuntu:~# cat: /mnt/etc/shadow: Permission denied
root@ubuntu:~# touch /mnt/var/lib/one/datastores/foo
root@ubuntu:~# rm /mnt/var/lib/one/datastores/foo

So, I can run @rm -rf /mnt/var/lib/one/datastores/@ and destroy my infrastructure.

Is there a way to restrict the content of RAW?

OpenNebulaProject commented 6 years ago

Original Redmine Comment Author Name: Carlos MartĂ­n (Carlos MartĂ­n) Original Date: 2015-01-14T14:43:31Z


Hi,

The contents cannot be restricted, but you can make RAW a restricted attribute, available only to administrators: http://docs.opennebula.org/4.10/administration/references/oned_conf.html#restricted-attributes-configuration

As a matter of fact, I think we should make it one of the default restricted attributes.

Is this enough for your use case?

OpenNebulaProject commented 6 years ago

Original Redmine Comment Author Name: EOLE Team (EOLE Team) Original Date: 2015-01-14T15:42:37Z


Carlos MartĂ­n wrote:

The contents cannot be restricted, but you can make RAW a restricted attribute, available only to administrators: http://docs.opennebula.org/4.10/administration/references/oned_conf.html#restricted-attributes-configuration

As a matter of fact, I think we should make it one of the default restricted attributes.

Is this enough for your use case?

Unfortunately not, normal users run templates with RAW section:

I thought about restricting the creation of template with RAW to admin users, but normal users must be able to run them.

OpenNebulaProject commented 6 years ago

Original Redmine Comment Author Name: EOLE Team (EOLE Team) Original Date: 2015-01-14T15:58:01Z


EOLE Team wrote:

Unfortunately not, normal users run templates with RAW section:

  • to make “privative OS” working
  • to access a virtfs under a dedicated directory

I thought about restricting the creation of template with RAW to admin users, but normal users must be able to run them.

My mistake:

If the VM template has been created by admins in the ‘’oneadmin’’ group, then users outside the ‘’oneadmin’’ group can instantiate these templates.

Requiring @oneadmin@ membership is a bit limiting for us, I do not want to give @oneadmin@ to the user responsible of creating templates :-/

OpenNebulaProject commented 6 years ago

Original Redmine Comment Author Name: Stefan Kooman (Stefan Kooman) Original Date: 2017-01-05T15:04:00Z


VM_RESTRICTED_ATTR = "RAW" is not enabled by default in oned.conf, and not even listed there. I would strongly opt to enable this by default, as it is the biggest security hole in ONE. Every user with "TEMPLATE:CREATE" or "TEMPLATE:MANAGE" permissions will have the posibility to pass hypervisor disks to guest VM's, obtain /etc/shadow, ssh pub / private keys of oneadmin, inflict a Denial of service. When ONE frontend is a VM on same infrastructure the whole cloud infra can be powned ...

stale[bot] commented 5 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. The OpenNebula Dev Team

stale[bot] commented 5 years ago

This issue has been automatically closed due to lack of activity/feedback. Please reopen if you have further input or need to bump this. The OpenNebula Dev Team