[Openstack-security] [Bug 1445295] Re: Guestagent config leaks rabbit password
Amrith
1445295 at bugs.launchpad.net
Wed Apr 13 01:34:03 UTC 2016
flwang asked questions about this on IRC today. I'll update the bug with
the known avoidance and explanations on how to securely deploy trove.
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1445295
Title:
Guestagent config leaks rabbit password
Status in OpenStack Security Advisory:
Won't Fix
Status in OpenStack DBaaS (Trove):
New
Bug description:
A running guest vm has the guestagent service running. Included in
this is the trave-guestagent.conf file. This contains (at least) the
rabbit password.
It is pretty easy to extract this as an unprivileged user - given that the guest image is publicly available, it can be downloaded,
and (if needed) converted to raw and mounted. From this either:
- config can be immediately read if guestagent is pre-installed (or)
- rsync command and ip + location of config files can be gleaned from
the init script
In the second case it is then pretty easy to boot a vm on the
appropriate network and rsync the config files using the above gleaned
command(s) as required (e.g add keys to the previously downloaded trove
guest image, upload it to glance then run it directly from nova and ssh
in...).
I'm thinking that we need to setup the guestagent so it does *not*
need to know this level of detail about the inner workings of
Openstack.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1445295/+subscriptions
More information about the Openstack-security
mailing list