<html>
  <head>
    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    Yes, I am aware that this is the expected behavior, at least from
    the developer point of view.<br>
    <br>
    Still, some functionality to confine plugin actions within the
    environment where it is supposed to run would be an useful option,
    what do you think?<br>
    <br>
    <br>
    <div class="moz-cite-prefix">On 07.12.2015 20:19, Andrew Woodward
      wrote:<br>
    </div>
    <blockquote
cite="mid:CACEfbZiwX0o5Q7PAGdPOk_++dyyVK7ADvCXPnPTSp5sQhVq2=w@mail.gmail.com"
      type="cite">
      <div dir="ltr">I'd have to say that this is expected behavior. I'm
        not sure what you would hope to prohibit when these kinds of
        things are necessary for the deployment. We also can't prohibit
        this from being done in a plugin, this is what the plugin
        verification is supposed to help combat. If you just go download
        a random puppet manifest // script // etc... from the internet,
        how do you ensure that it didn't install a root-kit.</div>
      <br>
      <div class="gmail_quote">
        <div dir="ltr">On Mon, Dec 7, 2015 at 9:14 AM Eugene Korekin
          <<a moz-do-not-send="true"
            href="mailto:ekorekin@mirantis.com">ekorekin@mirantis.com</a>>
          wrote:<br>
        </div>
        <blockquote class="gmail_quote" style="margin:0 0 0
          .8ex;border-left:1px #ccc solid;padding-left:1ex">
          <div bgcolor="#FFFFFF" text="#000000"> As far as I know this
            feature is planned for the next releases.<br>
            <br>
            But I think the main problem is: it's not obvious that just
            by installing a plugin, even without enabling the plugin in
            Fuel user could break or somehow alter already existing
            environments.  It could be done by malicious attacker who
            could compromise plugin or just unintentionally with some
            bug in the plugin code. <br>
            <br>
            Unfortunately, by installing some plugin a user jeopardizes
            his existing environments. And I think we should at least
            document these risks.</div>
          <div bgcolor="#FFFFFF" text="#000000"><br>
            <br>
            <div>On 07.12.2015 19:52, Javeria Khan wrote:<br>
            </div>
            <blockquote type="cite">
              <p dir="ltr">My two cents. It would be useful to have a
                role that could execute on the Fuel Master host itself
                rather than a container.</p>
              <p dir="ltr">--<br>
                Javeria</p>
              <div class="gmail_quote">On Dec 7, 2015 9:49 PM, "Roman
                Prykhodchenko" <<a moz-do-not-send="true"
                  href="mailto:me@romcheg.me" target="_blank">me@romcheg.me</a>>
                wrote:<br type="attribution">
                <blockquote class="gmail_quote" style="margin:0 0 0
                  .8ex;border-left:1px #ccc solid;padding-left:1ex">Alexey,<br>
                  <br>
                  thank you for bringing this up. IMO discussing
                  security problems is better to be done in a special
                  kind of Launchpad bugs.<br>
                  <br>
                  - romcheg<br>
                  <br>
                  <br>
                  > 7 груд. 2015 р. о 17:36 Alexey Elagin <<a
                    moz-do-not-send="true"
                    href="mailto:aelagin@mirantis.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:aelagin@mirantis.com">aelagin@mirantis.com</a></a>>

                  написав(ла):<br>
                  ><br>
                  > Hello all,<br>
                  ><br>
                  > We have a security problem in Fuel 7.0. It's
                  related to plugin<br>
                  > development and allows to execute code in
                  mcollective docker container<br>
                  > on Fuel master node. Any fuel plugin may contains
                  a yaml file with<br>
                  > deployment tasks (tasks.yaml,
                  deployment_tasks.yaml etc) and there is<br>
                  > an ability to run some code on node with role
                  "master". It's also<br>
                  > possible to connect to any target node via ssh
                  without a password from<br>
                  > within the container.<br>
                  ><br>
                  > As i understood, it was made to simplify some
                  deployment cases. I see<br>
                  > some steps for resolving this situation:<br>
                  > 1. Fuel team should disallow<br>
                  > execution of any puppet manifests or bash code on
                  nodes with master<br>
                  > role.<br>
                  > 2. Append the Fuel documentation. Notify users
                  about this<br>
                  > security issue.<br>
                  ><br>
                  > What do you think about it? What deployment cases
                  which require<br>
                  > execution of code on role "master" do you know?<br>
                  ><br>
                  > --<br>
                  > Best regards,<br>
                  > Alexey<br>
                  > Deployment Engineer<br>
                  > Mirantis, Inc<br>
                  > Cell: <a moz-do-not-send="true"
                    href="tel:%2B7%20%28968%29%20880%202288"
                    value="+79688802288" target="_blank">+7 (968) 880
                    2288</a><br>
                  > Skype: shikelbober<br>
                  > Slack: aelagin<br>
                  > mailto:<a moz-do-not-send="true"
                    href="mailto:aelagin@mirantis.com" target="_blank">aelagin@mirantis.com</a><br>
                  ><br>
                  ><br>
                  >
__________________________________________________________________________<br>
                  > OpenStack Development Mailing List (not for usage
                  questions)<br>
                  > Unsubscribe: <a moz-do-not-send="true"
href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe"
                    rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
                  > <a moz-do-not-send="true"
                    href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
                    rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
                  <br>
                  <br>
__________________________________________________________________________<br>
                  OpenStack Development Mailing List (not for usage
                  questions)<br>
                  Unsubscribe: <a moz-do-not-send="true"
href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe"
                    rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
                  <a moz-do-not-send="true"
                    href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
                    rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
                  <br>
                </blockquote>
              </div>
              <br>
              <fieldset></fieldset>
              <br>
              <pre>__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a moz-do-not-send="true" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a moz-do-not-send="true" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
            </blockquote>
            <br>
          </div>
          <div bgcolor="#FFFFFF" text="#000000">
            <pre cols="72">-- 
Eugene Korekin
Partner Enablement Team Deployment Engineer</pre>
          </div>
__________________________________________________________________________<br>
          OpenStack Development Mailing List (not for usage questions)<br>
          Unsubscribe: <a moz-do-not-send="true"
href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe"
            rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
          <a moz-do-not-send="true"
            href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
            rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
        </blockquote>
      </div>
      <div dir="ltr">-- <br>
      </div>
      <div dir="ltr">
        <p dir="ltr">--</p>
        <p dir="ltr"><span style="font-size:13.1999998092651px">Andrew
            Woodward</span></p>
        <p dir="ltr"><span style="font-size:13.1999998092651px">Mirantis</span></p>
        <p dir="ltr"><span style="font-size:13.1999998092651px">Fuel
            Community Ambassador</span></p>
        <p dir="ltr"><span style="font-size:13.1999998092651px">Ceph
            Community</span></p>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
    </blockquote>
    <br>
    <pre class="moz-signature" cols="72">-- 
Eugene Korekin
Partner Enablement Team Deployment Engineer</pre>
  </body>
</html>