From 9da43ddfc09e56b772e4304eef430e56aaf6013e Mon Sep 17 00:00:00 2001
From: Zhijiang Hu <hu.zhijiang@zte.com.cn>
Date: Thu, 4 Jan 2018 17:11:43 -0500
Subject: Fix tmp dir security risks in image build code

Change-Id: I2b909101ead10e26d2ec00a0ba3eb4ca63dc226a
Signed-off-by: Zhijiang Hu <hu.zhijiang@zte.com.cn>
---
 ci/kolla-build-vm.sh | 13 +++++++++----
 ci/kolla-build.sh    |  9 +++++----
 2 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/ci/kolla-build-vm.sh b/ci/kolla-build-vm.sh
index 63117242..011537ad 100755
--- a/ci/kolla-build-vm.sh
+++ b/ci/kolla-build-vm.sh
@@ -20,7 +20,12 @@ KOLLA_TAG=
 EXT_TAG=
 KOLLA_GIT_VERSION=
 KOLLA_IMAGE_VERSION=
-WORK_DIR=/tmp
+
+SCRIPT_PATH=$(readlink -f $(dirname $0))
+WORKSPACE=$(cd ${SCRIPT_PATH}/..; pwd)
+
+WORK_DIR=$WORKSPACE
+
 REGISTRY_SERVER_NAME=daisy-registry
 
 function usage
@@ -45,7 +50,7 @@ sudo `basename $0` -l https://git.openstack.org/openstack/kolla
                    -j daisy-docker-build-euphrates
                    -t 4.0.2
                    -e .1
-                   -w /tmp
+                   -w /path/to/the/working/dir
 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 EOF
 }
@@ -220,8 +225,8 @@ function cleanup_kolla_image {
 function start_registry_server {
     echo "Starting registry server"
     sudo docker run -d -p 5000:5000 --restart=always \
-        -e REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/tmp/registry \
-        -v $REGISTRY_VOLUME_DIR:/tmp/registry \
+        -e REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/home/registry \
+        -v $REGISTRY_VOLUME_DIR:/home/registry \
         --name $REGISTRY_SERVER_NAME registry:2
 }
 
diff --git a/ci/kolla-build.sh b/ci/kolla-build.sh
index b3b9fca3..cca98db5 100755
--- a/ci/kolla-build.sh
+++ b/ci/kolla-build.sh
@@ -31,7 +31,10 @@ error_trap()
     exit $exitcode
 }
 
-WORK_DIR=/tmp
+SCRIPT_PATH=$(readlink -f $(dirname $0))
+WORKSPACE=$(cd ${SCRIPT_PATH}/..; pwd)
+
+WORK_DIR=$WORKSPACE
 while getopts "l:b:j:t:e:w:h" OPTION
 do
     #Only get what we need
@@ -46,8 +49,6 @@ BUILD_OUTPUT_DIR=$WORK_DIR/kolla-build-output
 
 ############Builder VM operations################
 
-SCRIPT_PATH=$(readlink -f $(dirname $0))
-WORKSPACE=$(cd ${SCRIPT_PATH}/..; pwd)
 DEPLOY_PATH=$WORKSPACE/deploy
 
 # VM configurations
@@ -64,7 +65,7 @@ PARAS_IMAGE=${PARAS_FROM_DEPLOY#* * * }
 # qcow2 image modifier location
 CREATE_QCOW2_PATH=$WORKSPACE/tools
 # temp storage for qcow2 image modifier
-IMWORKDIR=${IMWORKDIR:-/tmp/workdir/daisy}
+IMWORKDIR=${IMWORKDIR:-$WORKSPACE/img}
 
 # set extra ssh paramters
 SSH_PARAS="-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
-- 
cgit 1.2.3-korg