[Openstack-security] eventlet_backdoor.py
Daniel P. Berrange
berrange at redhat.com
Mon Feb 10 17:26:28 UTC 2014
On Mon, Feb 10, 2014 at 06:19:27PM +0100, Thomas Biege wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Am 10.02.2014 17:54, schrieb Daniel P. Berrange:
> > On Mon, Feb 10, 2014 at 05:42:08PM +0100, Thomas Biege wrote:
> >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
> >>
> >> Hi, are there plans to rename the eventlet_backdoor.py module
> >> used in the OpenStack code at various places?
> >>
> >> The naming is bad and creates the impression that a backdoor is
> >> in OpenStack. In the current situation it might be an issue the
> >> press/blogs are waiting for.
> >>
> >> Even if renamed the openstack documentation should make it very
> >> clear what happens if the admins switches on this option.
> >>
> >> What do you think?
> >
> > NB if you enable this feature you basically *have* setup a backdoor
> > into the app for anyone who can connect to the nominated TCP port.
> > So in that sense this is actually accurately named and should serve
> > to discourage any deployers from enabling it without considering
> > the consequences.
>
> I am not sure that the name alone creates enough awareness. I also
> fear that the feature gets switched on, the problem is debugged, and
> then it will not be turned off again. Like ATMs that eject the money
> first and then the debit card, which leads to the card being left in
> the card reader slot because the customer has what he wants, the money.
>
> What about removing or restricting the feature?
FYI we have developed a new feature which is intended to replace
some of the original uses cases for the backdoor, in a saner
manner:
https://blueprints.launchpad.net/oslo/+spec/guru-meditation-report
This is a feature that will be enabled at all times. An admin merely
has to send SIGUSR1 to the process to get it to dump all its interesting
state to stderr for troubleshooting. I think this will be far more useful
for production environments, and of course safer to since it isn't
exposing an arbitrary python shell on an unauthenticated, unencrypted
TCP port.
Once guru meditation support is merged into all projects, personally
I'd have no issue with killing the eventlet backdoor entirely. Others
may disagree of course, but it is a conversation worth having IMHO.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the Openstack-security
mailing list