Insecure default permissions in /var/openebs

[ion1]

Is this a BUG REPORT or FEATURE REQUEST?

BUG REPORT

What happened:

Entries created in /var/openebs/local have not only a universal read permission but a write permission as well for local users on the host system:

# ls -l /var/openebs/local
drwxrwxrwx 5 root root 4096 Jun 21 12:43 pvc-8ac37e74-93ca-11e9-9892-960000289746

Entries in /var/openebs/sparse are still readable by local users:

# ls -l /var/openebs/sparse/*
-rw-r--r-- 1 root root 10737418240 Jun 21 05:14 /var/openebs/sparse/0-ndm-sparse.img

What you expected to happen:

I expected the default permissions to be 0700 for directories and 0600 for files.

How to reproduce it (as minimally and precisely as possible):

Install OpenEBS, create a localpv PVC, look at the permissions under /var/openebs.

Anything else we need to know?:

The culprit for localpv is in provisioner_hostpath.go.

[MikaelSmith]

I don't see any discussion of this in the original change to add directory creation: #1226. It does seem like the permissions are overly broad. The best workaround I've thought of is to make sure /var/openebs is set to 0700.

[kmova]

Will be addressed as part of openebs/dynamic-localpv-provisioner#95

Thanks @MikaelSmith for the suggestion.