[Openstack-security] [Bug 1700501] Re: Insecure rootwrap usage

Jeremy Stanley fungi at yuggoth.org
Tue Jun 27 16:45:42 UTC 2017 

In a private E-mail reply, Benjamin agreed with the suggestion to
proceed with this report in public for now. As such, I'm triaging it as
class B2 ("a vulnerability without a complete fix yet, security note for
all versions, e.g., poor architecture / design"). The security note
normally suggested by B2 is probably not warranted either given the
existing treatment in the security guide, linked from the initial
report.

** Information type changed from Private Security to Public

** Description changed:

- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an official OpenStack
- Security Advisory. This includes discussion of the bug or associated
- fixes in public forums such as mailing lists, code review systems and
- bug trackers. Please also avoid private disclosure to other individuals
- not already approved for access to this information, and provide this
- same reminder to those who are made aware of the issue prior to
- publication. All discussion should remain confined to this private bug
- report, and any proposed fixes should be added to the bug as
- attachments.
- 
- --
- 
  Reported by Benjamin Deuter of SUSE:
  
  Some rootwrap filters are too permissive and allow privilege escalation
  from service user, as explained here:
  
  https://security.openstack.org/guidelines/dg_use-oslo-rootwrap-
  securely.html#incorrect
  
  For example this shouldn't be authorized:
  
  sudo nova-rootwrap /etc/nova/rootwrap.conf chmod 777 /etc/shadow

** Tags added: security

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1700501

Title:
  Insecure rootwrap usage

Status in Cinder:
  New
Status in Manila:
  New
Status in OpenStack Compute (nova):
  New
Status in OpenStack Security Advisory:
  Incomplete

Bug description:
  Reported by Benjamin Deuter of SUSE:

  Some rootwrap filters are too permissive and allow privilege
  escalation from service user, as explained here:

  https://security.openstack.org/guidelines/dg_use-oslo-rootwrap-
  securely.html#incorrect

  For example this shouldn't be authorized:

  sudo nova-rootwrap /etc/nova/rootwrap.conf chmod 777 /etc/shadow

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1700501/+subscriptions

More information about the Openstack-security mailing list