<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 04/22/2014 11:29 AM, Clark, Robert
Graham wrote:<br>
</div>
<blockquote
cite="mid:A0C170085C37664D93EE1604364858A1122D290F@G4W3229.americas.hpqcorp.net"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US">As
Bryan mentioned already, a user with access to production
systems, particularly one with sudo/root access – is in an
incredibly privileged position. On its own this is an
auditing issue but it’s a recognised one. In most
deployments subject to auditing (i.e. production) it’s
likely that compensating controls such as gated access, user
logging, MAC etc. are all in place to control the risk.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US">
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US">It’s
a messy problem to deal with. I’ve seen approaches where the
process and configuration file are both owned by an elevated
user, once the process has loaded the configuration file it
drops privs and can no longer read the file, this can be
useful as a mechanism for avoiding directory traversal in
web services etc I’m not sure how viable an approach this
would be with something like Swift.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US">-Rob</span></p>
</div>
</blockquote>
<br>
I'd like to see a concerted effort to allowing all servcie to get
keystone tokens with either Kerberos (keytabs) or X509 Client
certificates.<br>
<br>
<blockquote
cite="mid:A0C170085C37664D93EE1604364858A1122D290F@G4W3229.americas.hpqcorp.net"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0cm
0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""
lang="EN-US">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""
lang="EN-US"> Bryan D. Payne [<a class="moz-txt-link-freetext" href="mailto:bdpayne@acm.org">mailto:bdpayne@acm.org</a>]
<br>
<b>Sent:</b> 22 April 2014 01:16<br>
<b>To:</b> Adam Lawson<br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:openstack-security@lists.openstack.org">openstack-security@lists.openstack.org</a><br>
<b>Subject:</b> Re: [Openstack-security] Credentials
in clear text<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">This is fair. I'm not personally
familiar with Swift, so I will let others chime in on
that.<o:p></o:p></p>
<div>
<p class="MsoNormal">-bryan<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Mon, Apr 21, 2014 at 4:47 PM, Adam
Lawson <<a moz-do-not-send="true"
href="mailto:alawson@aqorn.com" target="_blank">alawson@aqorn.com</a>>
wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC
1.0pt;padding:0cm 0cm 0cm
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">Preventing access to passwords
for the purpose of preventing unauthorized access to
data as another way I look at it.<o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><br clear="all">
<o:p></o:p></p>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><b><i><span
style="font-family:"Arial","sans-serif""><br>
Adam Lawson</span></i></b><span
style="font-family:"Arial","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span
style="font-family:"Arial","sans-serif";color:#666666">AQORN,
Inc.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-family:"Arial","sans-serif";color:#666666">427
North Tatnall Street<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-family:"Arial","sans-serif";color:#666666">Ste.
58461<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-family:"Arial","sans-serif";color:#666666">Wilmington,
Delaware 19801-2230<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-family:"Arial","sans-serif";color:#666666">Toll-free:
(844) 4-AQORN-NOW<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-family:"Arial","sans-serif";color:#666666">Direct:
</span><a moz-do-not-send="true"
href="tel:%2B1%20%28302%29%20268-6914"
target="_blank"><span
style="font-family:"Arial","sans-serif"">+1
(302) 268-6914</span></a><span
style="font-family:"Arial","sans-serif";color:#666666"><o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"><span
style="font-family:"Arial","sans-serif""><img
moz-do-not-send="true" id="_x0000_i1027"
src="http://www.aqorn.com/images/logo.png"
alt="http://www.aqorn.com/images/logo.png"
height="49" border="0" width="120"></span><span
style="font-family:"Arial","sans-serif""><o:p></o:p></span></p>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal">On Mon, Apr 21, 2014 at
4:46 PM, Adam Lawson <<a
moz-do-not-send="true"
href="mailto:alawson@aqorn.com"
target="_blank">alawson@aqorn.com</a>>
wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid
#CCCCCC 1.0pt;padding:0cm 0cm 0cm
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">My initial concern is
specific to Swift and gaining global
access to all data by virtue of having
access to a single proxy node. It seems
more than access to system resources but a
flaw in how data is controlled (and
passwords are controlled).<o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><br clear="all">
<o:p></o:p></p>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><b><i><span
style="font-family:"Arial","sans-serif""><br>
Adam Lawson</span></i></b><span
style="font-family:"Arial","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span
style="font-family:"Arial","sans-serif";color:#666666">AQORN,
Inc.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-family:"Arial","sans-serif";color:#666666">427
North Tatnall Street<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-family:"Arial","sans-serif";color:#666666">Ste.
58461<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-family:"Arial","sans-serif";color:#666666">Wilmington,
Delaware 19801-2230<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-family:"Arial","sans-serif";color:#666666">Toll-free:
(844) 4-AQORN-NOW<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-family:"Arial","sans-serif";color:#666666">Direct:
</span><a
moz-do-not-send="true"
href="tel:%2B1%20%28302%29%20268-6914"
target="_blank"><span
style="font-family:"Arial","sans-serif"">+1
(302) 268-6914</span></a><span
style="font-family:"Arial","sans-serif";color:#666666"><o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"><span
style="font-family:"Arial","sans-serif""><img
moz-do-not-send="true"
id="_x0000_i1026"
src="http://www.aqorn.com/images/logo.png"
alt="http://www.aqorn.com/images/logo.png" height="49" border="0"
width="120"></span><span
style="font-family:"Arial","sans-serif""><o:p></o:p></span></p>
</div>
</div>
</div>
<p class="MsoNormal"
style="margin-bottom:12.0pt"><o:p> </o:p></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal">On Mon, Apr 21,
2014 at 4:41 PM, Bryan D. Payne <<a
moz-do-not-send="true"
href="mailto:bdpayne@acm.org"
target="_blank">bdpayne@acm.org</a>>
wrote:<o:p></o:p></p>
<blockquote
style="border:none;border-left:solid
#CCCCCC 1.0pt;padding:0cm 0cm 0cm
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">This would be
a nice hardening step, but if
you have sudo on the box there's
a lot of things you can do see.
This is just the tip of the
iceberg. For example, access to
the backend db? Access to
traffic on the network / unix
sockets / etc? Access to logs.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I am not
aware of any current efforts
to mask this information from
the config files. But that
doesn't mean it's not
happening. If someone is
aware of such an effort, I'd
certainly be interested in
learning more about it.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Cheers,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">-bryan<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"
style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<div>
<div>
<p class="MsoNormal">On Mon,
Apr 21, 2014 at 4:26 PM,
Adam Lawson <<a
moz-do-not-send="true"
href="mailto:alawson@aqorn.com"
target="_blank">alawson@aqorn.com</a>>
wrote:<o:p></o:p></p>
</div>
</div>
<blockquote
style="border:none;border-left:solid
#CCCCCC 1.0pt;padding:0cm 0cm
0cm
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">
<div>
<div>
<div>
<p class="MsoNormal">Have
.conf files containing
credentials and tokens
been addressed or
being addressed? Seems
there are a lot of
keys to the kingdom
clearly visible to
staff who have access
to systems for
day-to-day admin work
but don't/shouldn't be
able to view them. If
they have sudo access,
they have everything
they need to get where
they don't belong.
Really strikes me as
an obvious audit
issue...<span
style="color:#888888"><o:p></o:p></span></p>
<div>
<div>
<p class="MsoNormal"><span
style="color:#888888"><br clear="all">
<o:p></o:p></span></p>
<div>
<div>
<div>
<div>
<p
class="MsoNormal"><b><i><span
style="font-family:"Arial","sans-serif";color:#888888"><br>
Adam Lawson</span></i></b><span
style="font-family:"Arial","sans-serif";color:#888888"><o:p></o:p></span></p>
</div>
<div>
<div>
<p
class="MsoNormal"><span
style="font-family:"Arial","sans-serif";color:#666666">AQORN,
Inc.<o:p></o:p></span></p>
</div>
<div>
<p
class="MsoNormal"><span
style="font-family:"Arial","sans-serif";color:#666666">427
North Tatnall
Street<o:p></o:p></span></p>
</div>
<div>
<p
class="MsoNormal"><span
style="font-family:"Arial","sans-serif";color:#666666">Ste.
58461<o:p></o:p></span></p>
</div>
<div>
<p
class="MsoNormal"><span
style="font-family:"Arial","sans-serif";color:#666666">Wilmington,
Delaware
19801-2230<o:p></o:p></span></p>
</div>
<div>
<p
class="MsoNormal"><span
style="font-family:"Arial","sans-serif";color:#666666">Toll-free:
(844)
4-AQORN-NOW<o:p></o:p></span></p>
</div>
<div>
<p
class="MsoNormal"><span
style="font-family:"Arial","sans-serif";color:#666666">Direct:
</span><a
moz-do-not-send="true"
href="tel:%2B1%20%28302%29%20268-6914" target="_blank"><span
style="font-family:"Arial","sans-serif"">+1
(302) 268-6914</span></a><span
style="font-family:"Arial","sans-serif";color:#666666"><o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<p
class="MsoNormal"><span
style="font-family:"Arial","sans-serif";color:#888888"><img
moz-do-not-send="true" id="_x0000_i1025"
src="http://www.aqorn.com/images/logo.png"
alt="http://www.aqorn.com/images/logo.png" height="49" border="0"
width="120"></span><span
style="font-family:"Arial","sans-serif";color:#888888"><o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<p class="MsoNormal"
style="margin-bottom:12.0pt">_______________________________________________<br>
Openstack-security mailing
list<br>
<a moz-do-not-send="true"
href="mailto:Openstack-security@lists.openstack.org"
target="_blank">Openstack-security@lists.openstack.org</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openstack-security mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openstack-security@lists.openstack.org">Openstack-security@lists.openstack.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a>
</pre>
</blockquote>
<br>
</body>
</html>