<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Yes, I am aware that this is the expected behavior, at least from
the developer point of view.<br>
<br>
Still, some functionality to confine plugin actions within the
environment where it is supposed to run would be an useful option,
what do you think?<br>
<br>
<br>
<div class="moz-cite-prefix">On 07.12.2015 20:19, Andrew Woodward
wrote:<br>
</div>
<blockquote
cite="mid:CACEfbZiwX0o5Q7PAGdPOk_++dyyVK7ADvCXPnPTSp5sQhVq2=w@mail.gmail.com"
type="cite">
<div dir="ltr">I'd have to say that this is expected behavior. I'm
not sure what you would hope to prohibit when these kinds of
things are necessary for the deployment. We also can't prohibit
this from being done in a plugin, this is what the plugin
verification is supposed to help combat. If you just go download
a random puppet manifest // script // etc... from the internet,
how do you ensure that it didn't install a root-kit.</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Mon, Dec 7, 2015 at 9:14 AM Eugene Korekin
<<a moz-do-not-send="true"
href="mailto:ekorekin@mirantis.com">ekorekin@mirantis.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> As far as I know this
feature is planned for the next releases.<br>
<br>
But I think the main problem is: it's not obvious that just
by installing a plugin, even without enabling the plugin in
Fuel user could break or somehow alter already existing
environments. It could be done by malicious attacker who
could compromise plugin or just unintentionally with some
bug in the plugin code. <br>
<br>
Unfortunately, by installing some plugin a user jeopardizes
his existing environments. And I think we should at least
document these risks.</div>
<div bgcolor="#FFFFFF" text="#000000"><br>
<br>
<div>On 07.12.2015 19:52, Javeria Khan wrote:<br>
</div>
<blockquote type="cite">
<p dir="ltr">My two cents. It would be useful to have a
role that could execute on the Fuel Master host itself
rather than a container.</p>
<p dir="ltr">--<br>
Javeria</p>
<div class="gmail_quote">On Dec 7, 2015 9:49 PM, "Roman
Prykhodchenko" <<a moz-do-not-send="true"
href="mailto:me@romcheg.me" target="_blank">me@romcheg.me</a>>
wrote:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Alexey,<br>
<br>
thank you for bringing this up. IMO discussing
security problems is better to be done in a special
kind of Launchpad bugs.<br>
<br>
- romcheg<br>
<br>
<br>
> 7 груд. 2015 р. о 17:36 Alexey Elagin <<a
moz-do-not-send="true"
href="mailto:aelagin@mirantis.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:aelagin@mirantis.com">aelagin@mirantis.com</a></a>>
написав(ла):<br>
><br>
> Hello all,<br>
><br>
> We have a security problem in Fuel 7.0. It's
related to plugin<br>
> development and allows to execute code in
mcollective docker container<br>
> on Fuel master node. Any fuel plugin may contains
a yaml file with<br>
> deployment tasks (tasks.yaml,
deployment_tasks.yaml etc) and there is<br>
> an ability to run some code on node with role
"master". It's also<br>
> possible to connect to any target node via ssh
without a password from<br>
> within the container.<br>
><br>
> As i understood, it was made to simplify some
deployment cases. I see<br>
> some steps for resolving this situation:<br>
> 1. Fuel team should disallow<br>
> execution of any puppet manifests or bash code on
nodes with master<br>
> role.<br>
> 2. Append the Fuel documentation. Notify users
about this<br>
> security issue.<br>
><br>
> What do you think about it? What deployment cases
which require<br>
> execution of code on role "master" do you know?<br>
><br>
> --<br>
> Best regards,<br>
> Alexey<br>
> Deployment Engineer<br>
> Mirantis, Inc<br>
> Cell: <a moz-do-not-send="true"
href="tel:%2B7%20%28968%29%20880%202288"
value="+79688802288" target="_blank">+7 (968) 880
2288</a><br>
> Skype: shikelbober<br>
> Slack: aelagin<br>
> mailto:<a moz-do-not-send="true"
href="mailto:aelagin@mirantis.com" target="_blank">aelagin@mirantis.com</a><br>
><br>
><br>
>
__________________________________________________________________________<br>
> OpenStack Development Mailing List (not for usage
questions)<br>
> Unsubscribe: <a moz-do-not-send="true"
href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe"
rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
> <a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
<br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage
questions)<br>
Unsubscribe: <a moz-do-not-send="true"
href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe"
rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</blockquote>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a moz-do-not-send="true" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a moz-do-not-send="true" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</div>
<div bgcolor="#FFFFFF" text="#000000">
<pre cols="72">--
Eugene Korekin
Partner Enablement Team Deployment Engineer</pre>
</div>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a moz-do-not-send="true"
href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe"
rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</blockquote>
</div>
<div dir="ltr">-- <br>
</div>
<div dir="ltr">
<p dir="ltr">--</p>
<p dir="ltr"><span style="font-size:13.1999998092651px">Andrew
Woodward</span></p>
<p dir="ltr"><span style="font-size:13.1999998092651px">Mirantis</span></p>
<p dir="ltr"><span style="font-size:13.1999998092651px">Fuel
Community Ambassador</span></p>
<p dir="ltr"><span style="font-size:13.1999998092651px">Ceph
Community</span></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Eugene Korekin
Partner Enablement Team Deployment Engineer</pre>
</body>
</html>