[Openstack-security] [Bug 1445295] Re: Guestagent config leaks rabbit password
Amrith Kumar
1445295 at bugs.launchpad.net
Thu Jun 8 12:15:02 UTC 2017
** Changed in: trove
Status: New => Invalid
** Changed in: trove
Assignee: Amrith Kumar (amrith) => (unassigned)
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1445295
Title:
Guestagent config leaks rabbit password
Status in OpenStack Security Advisory:
Won't Fix
Status in OpenStack DBaaS (Trove):
Invalid
Bug description:
A running guest vm has the guestagent service running. Included in
this is the trave-guestagent.conf file. This contains (at least) the
rabbit password.
It is pretty easy to extract this as an unprivileged user - given that the guest image is publicly available, it can be downloaded,
and (if needed) converted to raw and mounted. From this either:
- config can be immediately read if guestagent is pre-installed (or)
- rsync command and ip + location of config files can be gleaned from
the init script
In the second case it is then pretty easy to boot a vm on the
appropriate network and rsync the config files using the above gleaned
command(s) as required (e.g add keys to the previously downloaded trove
guest image, upload it to glance then run it directly from nova and ssh
in...).
I'm thinking that we need to setup the guestagent so it does *not*
need to know this level of detail about the inner workings of
Openstack.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1445295/+subscriptions
More information about the Openstack-security
mailing list