Open Stack

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/28/2014 09:55 PM, Bhandaru, Malini K wrote:
> Hello Everyone!
> 
> 
> 
> Can you think of a security anti-pattern? Share them and help make 
> OpenStack more secure.
> 
> 
> 
> Below is an excerpt from the wiki under development  -- 
> https://wiki.openstack.org/wiki/Security/OpenStack_Security_Impact_Checks
>
> 
> 
> 
> 
> 
> OpenStack security is getting greater scrutiny as adoption
> increases. At the Icehouse summit during an OSSG design session we
> floated the idea of incorporating automated tests to capture some
> security anti-patterns.
> 
> For instance, consider cinder file permissions bug 
> <https://bugs.launchpad.net/cinder/+bug/1260679>; the extent of the
> bug, namely affected drivers, was determined with a grep, a check
> for "*chmod" with promiscuous file* settings for group and world.
> It transpired that several of the drivers were setting volume file 
> permissions to 777 and 666!
> 
> Yet another test possible is checing for shell command executions 
> as *root*. Occasionally these cannot be avoided but alerting to
> these helps the developer re-think the code and at the very least
> justify its need.
> 
> 
> 
> Hope to hear from you!
> 
> Malini

So I find this.. I dunno. So 20 years ago when I started doing
information security the pattern of "least privilege" was well
established. Now 20 years later everyone is discovering it yet again
(for about the, well, 20th time).

Rather then going with the easy "let's make code that works" resulting
in abuse of privileges (e.g. file modes that are 666/777), you need to
spend time and effort dialling down the privileges and testing. Not
documenting "don't use mode 666/777" (if documenting this stuff
worked, it would have worked by now!). In other words you need to
spend time auditing code (and then fixing it).

Sorry if this sounds grumpy but the fact is most people still get the
easy things wrong, to say nothing of the complicated things.

- -- 
Kurt Seifried - Red Hat - Product Security - Cloud stuff and such
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJThr4UAAoJEBYNRVNeJnmTTtQP/0xfA3YwsLZudl4Cl1DcVcKq
um9oHSQgCVnCLB6MC+/f1v44429fpj1zzc8uCaBHzabHDbX1PGPfqzTAJKwQFmpL
gM+uvtnYlbDMqwLrhVtaUyZ6yDnWXQRr0ZswZHKz3p81DWHyZpg7K71P/rx4Kr3B
cTx+DJFru5HDCl1MiJyNt+bzDTtu3Wzcudg78vK/w/mkDiAaAFmZuTidL2c2DiRN
16th1b6GfDZQk8vx9N9sv9MRiezvdjIlJ3WwjIIHJv63/FWwHKwafkjRSQr6DS+3
oCLN9MeCIla1RAaOCn8dXVYwz9m2SWoIEMkWKdpJ00Ulv3DJDZ0J86mT3fl2Yyqw
SaXDJoDJKO3AsLvmox+5MznGxhvv5Gc9h6ctAPubTHKx6kRjzYeXwry1Fws66Kh7
ACDCfv8hSEpjgUCIHBbCKZXaw1xd4k5VbuvkGybSranUNpOB6ua6tfA5qNvnrA6m
8Q0ygzo/0mdATkLWXJAQJvuDD8uFW+9vGwqzIRVihatlgwygWCNAS/9ik64bkZAx
wFvQnU4EeH8fWxrNU4+R2HPhjrmjtCvd448za5HJbkfWe0vlfgp6SQdmuxoVKUNa
BdFVY1qYZF/iBeMUdc9SHbbjHRNwrIrUSkigdY3rfhnL6jKbklw9YRtRBAq7W8/A
dCLwAIjc9K/Fldnlifd/
=p9sD
-----END PGP SIGNATURE-----