Open Stack

On 29/05/2014 05:56, "Kurt Seifried" <kseifried at redhat.com> wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On 05/28/2014 09:55 PM, Bhandaru, Malini K wrote:
>> Hello Everyone!
>> 
>> 
>> 
>> Can you think of a security anti-pattern? Share them and help make
>> OpenStack more secure.
>> 
>> 
>> 
>> Below is an excerpt from the wiki under development  --
>> 
>>https://wiki.openstack.org/wiki/Security/OpenStack_Security_Impact_Checks
>>
>> 
>> 
>> 
>> 
>> 
>> OpenStack security is getting greater scrutiny as adoption
>> increases. At the Icehouse summit during an OSSG design session we
>> floated the idea of incorporating automated tests to capture some
>> security anti-patterns.
>> 
>> For instance, consider cinder file permissions bug
>> <https://bugs.launchpad.net/cinder/+bug/1260679>; the extent of the
>> bug, namely affected drivers, was determined with a grep, a check
>> for "*chmod" with promiscuous file* settings for group and world.
>> It transpired that several of the drivers were setting volume file
>> permissions to 777 and 666!
>> 
>> Yet another test possible is checing for shell command executions
>> as *root*. Occasionally these cannot be avoided but alerting to
>> these helps the developer re-think the code and at the very least
>> justify its need.
>> 
>> 
>> 
>> Hope to hear from you!
>> 
>> Malini
>
>So I find this.. I dunno. So 20 years ago when I started doing
>information security the pattern of "least privilege" was well
>established. Now 20 years later everyone is discovering it yet again
>(for about the, well, 20th time).
>
>Rather then going with the easy "let's make code that works" resulting
>in abuse of privileges (e.g. file modes that are 666/777), you need to
>spend time and effort dialling down the privileges and testing. Not
>documenting "don't use mode 666/777" (if documenting this stuff
>worked, it would have worked by now!). In other words you need to
>spend time auditing code (and then fixing it).
>
>Sorry if this sounds grumpy but the fact is most people still get the
>easy things wrong, to say nothing of the complicated things.
>
>- -- 
>Kurt Seifried - Red Hat - Product Security - Cloud stuff and such
>PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

I certainly share your frustration, I think the idea with the
anti-patterns is to document the things that get done badly most often in
OpenStack and format them in a way that¹s easily consumable by core devs
and PTLs. The list should be short enough that they can refer back to it
while reviewing new features.

It¹s not going to fix anything on it¹s own but anything we can do to help
developers not make the same mistakes which, as you point out, have been
made for the last 20 years - is a good thing.

-Rob