[Openstack-security] [Bug 1514569] Re: Fix Postgres root-enable
Amrith
1514569 at bugs.launchpad.net
Tue Sep 6 17:36:11 UTC 2016
** Changed in: trove
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1514569
Title:
Fix Postgres root-enable
Status in OpenStack DBaaS (Trove):
Fix Released
Bug description:
Fix PostgreSQL root functions
The default PostgreSQL administration account is 'postgres'.
In the current implementation Trove uses the 'postgres' account and
return a new superuser called 'root' when the root access is requested.
The user 'root' has however no special meaning in PostgreSQL and the
existing applications may rely on the default superuser name 'postgres'.
Trove should be using its own administrative account (os_admin)
instead.
Notes:
The current implementation is broken for variaous reasons:
- It uses UUIDs in place of 'secure' password.
- It creates a 'root' user, but no database for it.
The clients won't be able to authenticate without explicitly
providing an existing database name.
- The created 'root' user has no 'SUPERUSER' attribute and
hence is not a real superuser (cannot perform certain tasks)...
- The implementation suffers a defect that allows a non-root user
gain root access to an instance without marking is as 'root-enabled'
A similar defect exists in other datastores (MySQL) too:
1. Create an instance.
2. Enable root.
3. Use your root access to change the password of the built-in
'postgres' account (Trove will still work because it uses the
'peer' authentication method - the UNIX account).
4. Login as 'postgres' using the changed password and drop the
created 'root' account.
5. Backup & restore the instance.
6. Trove reports the root has never been enabled (it checks for existence of
superuser accounts other than the built-in 'postgres').
7. You enjoy the root access of the 'postgres' user
(the password is not reset on restore).
To manage notifications about this bug go to:
https://bugs.launchpad.net/trove/+bug/1514569/+subscriptions
More information about the Openstack-security
mailing list