[Openstack-security] [Bug 1611171] Re: re-runs self via sudo

OpenStack Infra 1611171 at bugs.launchpad.net
Tue Oct 25 15:07:05 UTC 2016 

Reviewed:  https://review.openstack.org/371927
Committed: https://git.openstack.org/cgit/openstack/rally/commit/?id=2259b17384c0eb7da9325123e6f4041c5b317c79
Submitter: Jenkins
Branch:    master

commit 2259b17384c0eb7da9325123e6f4041c5b317c79
Author: Iswarya_Vakati <v.iswarya at nectechnologies.in>
Date:   Sat Sep 17 18:19:22 2016 +0530

    Don't attempt to escalate rally-manage privileges
    
    Remove code which allowed rally-manage to attempt to escalate
    privileges so that configuration files can be read by users who
    normally wouldn't have access, but do have sudo access.
    
    Change-Id: Iff352e463189738d3f371c819edfeb0664fd7684
    Closes-Bug:#1611171


** Changed in: rally
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1611171

Title:
  re-runs self via sudo

Status in Cinder:
  Fix Released
Status in Designate:
  In Progress
Status in ec2-api:
  In Progress
Status in gce-api:
  Fix Released
Status in Manila:
  In Progress
Status in masakari:
  Fix Released
Status in OpenStack Compute (nova):
  Fix Released
Status in OpenStack Compute (nova) newton series:
  Fix Committed
Status in OpenStack Security Advisory:
  Won't Fix
Status in Rally:
  Fix Released

Bug description:
  Hello, I'm looking through Designate source code to determine if is
  appropriate to include in Ubuntu Main. This isn't a full security
  audit.

  This looks like trouble:

  ./designate/cmd/manage.py

  def main():
      CONF.register_cli_opt(category_opt)

      try:
          utils.read_config('designate', sys.argv)
          logging.setup(CONF, 'designate')
      except cfg.ConfigFilesNotFoundError:
          cfgfile = CONF.config_file[-1] if CONF.config_file else None
          if cfgfile and not os.access(cfgfile, os.R_OK):
              st = os.stat(cfgfile)
              print(_("Could not read %s. Re-running with sudo") % cfgfile)
              try:
                  os.execvp('sudo', ['sudo', '-u', '#%s' % st.st_uid] + sys.argv)
              except Exception:
                  print(_('sudo failed, continuing as if nothing happened'))

          print(_('Please re-run designate-manage as root.'))
          sys.exit(2)

  
  This is an interesting decision -- if the configuration file is _not_ readable by the user in question, give the executing user complete privileges of the user that owns the unreadable file.

  I'm not a fan of hiding privilege escalation / modifications in
  programs -- if a user had recently used sudo and thus had the
  authentication token already stored for their terminal, this 'hidden'
  use of sudo may be unexpected and unwelcome, especially since it
  appears that argv from the first call leaks through to the sudo call.

  Is this intentional OpenStack style? Or unexpected for you guys too?

  (Feel free to make this public at your convenience.)

  Thanks

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1611171/+subscriptions

More information about the Openstack-security mailing list