Tighten storage pool permissions (from Incus) (stable-5.0) (#16923)

Pulls in fix from lxc/incus#2642 (from
#16904 via
#16922)

Related to lxc/incus#2641

Fix for
[GHSA-56mx-8g9f-5crf](GHSA-56mx-8g9f-5crf)
CVE-2025-64507

Author: tomponline

lxd/patches.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"io/fs"
 	"net/http"
 	"os"
 	"path/filepath"
@@ -83,6 +84,7 @@ var patches = []patch{
 	{name: "storage_unset_invalid_block_settings", stage: patchPostDaemonStorage, run: patchStorageUnsetInvalidBlockSettings},
 	{name: "storage_move_custom_iso_block_volumes_v2", stage: patchPostDaemonStorage, run: patchStorageRenameCustomISOBlockVolumesV2},
 	{name: "storage_unset_invalid_block_settings_v2", stage: patchPostDaemonStorage, run: patchStorageUnsetInvalidBlockSettingsV2},
+	{name: "pool_fix_default_permissions", stage: patchPostDaemonStorage, run: patchDefaultStoragePermissions},
 }
 
 type patch struct {
@@ -1249,4 +1251,34 @@ DELETE FROM storage_volumes_config
 	return err
 }
 
+// patchDefaultStoragePermissions re-applies the default modes to all storage pools.
+func patchDefaultStoragePermissions(_ string, d *Daemon) error {
+	s := d.State()
+
+	pools, err := s.DB.Cluster.GetStoragePoolNames()
+	if err != nil {
+		// Skip the rest of the patch if no storage pools were found.
+		if api.StatusErrorCheck(err, http.StatusNotFound) {
+			return nil
+		}
+
+		return fmt.Errorf("Failed getting storage pool names: %w", err)
+	}
+
+	for _, pool := range pools {
+		for _, volEntry := range storageDrivers.BaseDirectories {
+			for _, volDir := range volEntry.Paths {
+				path := storageDrivers.GetPoolMountPath(pool) + "/" + volDir
+
+				err := os.Chmod(path, volEntry.Mode)
+				if err != nil && !errors.Is(err, fs.ErrNotExist) {
+					return fmt.Errorf("Failed to set directory mode %q: %w", path, err)
+				}
+			}
+		}
+	}
+
+	return nil
+}
+
 // Patches end here

lxd/storage/backend_lxd.go

@@ -5116,10 +5116,10 @@ func (b *lxdBackend) RestoreCustomVolume(projectName, volName string, snapshotNa
 
 func (b *lxdBackend) createStorageStructure(path string) error {
 	for _, volType := range b.driver.Info().VolumeTypes {
-		for _, name := range drivers.BaseDirectories[volType] {
+		for _, name := range drivers.BaseDirectories[volType].Paths {
 			path := filepath.Join(path, name)
-			err := os.MkdirAll(path, 0711)
-			if err != nil && !os.IsExist(err) {
+			err := os.MkdirAll(path, drivers.BaseDirectories[volType].Mode)
+			if err != nil && !errors.Is(err, fs.ErrExist) {
 				return fmt.Errorf("Failed to create directory %q: %w", path, err)
 			}
 		}

lxd/storage/drivers/driver_btrfs.go

@@ -283,7 +283,7 @@ func (d *btrfs) Delete(op *operations.Operation) error {
 
 	// Delete potential intermediate btrfs subvolumes.
 	for _, volType := range d.Info().VolumeTypes {
-		for _, dir := range BaseDirectories[volType] {
+		for _, dir := range BaseDirectories[volType].Paths {
 			path := filepath.Join(GetPoolMountPath(d.name), dir)
 			if !shared.PathExists(path) {
 				continue

lxd/storage/drivers/driver_zfs_utils.go

@@ -286,8 +286,7 @@ func (d *zfs) initialDatasets() []string {
 
 	// Iterate over the listed supported volume types.
 	for _, volType := range d.Info().VolumeTypes {
-		entries = append(entries, BaseDirectories[volType][0])
-		entries = append(entries, filepath.Join("deleted", BaseDirectories[volType][0]))
+		entries = append(entries, BaseDirectories[volType].Paths[0], "deleted/"+BaseDirectories[volType].Paths[0])
 	}
 
 	return entries

lxd/storage/drivers/generic_vfs.go

@@ -1153,11 +1153,11 @@ func genericVFSListVolumes(d Driver) ([]Volume, error) {
 	poolMountPath := GetPoolMountPath(poolName)
 
 	for _, volType := range d.Info().VolumeTypes {
-		if len(BaseDirectories[volType]) < 1 {
+		if len(BaseDirectories[volType].Paths) < 1 {
 			return nil, fmt.Errorf("Cannot get base directory name for volume type %q", volType)
 		}
 
-		volTypePath := filepath.Join(poolMountPath, BaseDirectories[volType][0])
+		volTypePath := filepath.Join(poolMountPath, BaseDirectories[volType].Paths[0])
 		ents, err := os.ReadDir(volTypePath)
 		if err != nil {
 			return nil, fmt.Errorf("Failed to list directory %q for volume type %q: %w", volTypePath, volType, err)

lxd/storage/drivers/volume.go

@@ -76,13 +76,18 @@ const ContentTypeISO = ContentType("iso")
 // VolumePostHook function returned from a storage action that should be run later to complete the action.
 type VolumePostHook func(vol Volume) error
 
+type baseDirectory struct {
+	Paths []string
+	Mode  os.FileMode
+}
+
 // BaseDirectories maps volume types to the expected directories.
-var BaseDirectories = map[VolumeType][]string{
-	VolumeTypeBucket:    {"buckets"},
-	VolumeTypeContainer: {"containers", "containers-snapshots"},
-	VolumeTypeCustom:    {"custom", "custom-snapshots"},
-	VolumeTypeImage:     {"images"},
-	VolumeTypeVM:        {"virtual-machines", "virtual-machines-snapshots"},
+var BaseDirectories = map[VolumeType]baseDirectory{
+	VolumeTypeBucket:    {Paths: []string{"buckets"}, Mode: 0o711},                            // MinIO is run as non-root, so 0700 won't work, however as S3 interface doesn't allow creation of setuid binaries this is OK.
+	VolumeTypeContainer: {Paths: []string{"containers", "containers-snapshots"}, Mode: 0o711}, // Containers may be run as non-root, so 0700 won't work, however as containers have their own sub-directory with correct ownership that is 0100 this is OK.
+	VolumeTypeCustom:    {Paths: []string{"custom", "custom-snapshots"}, Mode: 0o700},
+	VolumeTypeImage:     {Paths: []string{"images"}, Mode: 0o700},
+	VolumeTypeVM:        {Paths: []string{"virtual-machines", "virtual-machines-snapshots"}, Mode: 0o700},
 }
 
 // Volume represents a storage volume, and provides functions to mount and unmount it.

test/suites/storage.sh

@@ -20,6 +20,35 @@ test_storage() {
 
   lxc storage volume create "$storage_pool" "$storage_volume"
 
+  # Test storage directory permissions
+
+  # Verify storage pool directory permissions match BaseDirectories expectations.
+  # We expect:
+  # - containers, containers-snapshots -> 0711
+  # - buckets -> 0711
+  # - custom, custom-snapshots -> 0700
+  # - images -> 0700
+  # - virtual-machines, virtual-machines-snapshots -> 0700
+  pool_path="${LXD_DIR}/storage-pools/${storage_pool}"
+
+  declare -A expected_modes
+  expected_modes[containers]=711
+  expected_modes[containers-snapshots]=711
+  if [ "${lxd_backend}" != "ceph" ]; then
+      expected_modes[buckets]=711 # Buckets are not supported on ceph backend.
+  fi
+  expected_modes[custom]=700
+  expected_modes[custom-snapshots]=700
+  expected_modes[images]=700
+  expected_modes[virtual-machines]=700
+  expected_modes[virtual-machines-snapshots]=700
+
+  for dir in "${!expected_modes[@]}"; do
+    want="${expected_modes[$dir]}"
+    mode=$(stat -c %a "${pool_path}/${dir}")
+    [ "${mode}" = "${want}" ]
+  done
+
   # Test setting description on a storage volume
   lxc storage volume show "$storage_pool" "$storage_volume" | sed 's/^description:.*/description: bar/' | lxc storage volume edit "$storage_pool" "$storage_volume"
   lxc storage volume show "$storage_pool" "$storage_volume" | grep -q 'description: bar'