Open Stack

Hi,

On 02/04/2013 04:03 PM, Thomas Goirand wrote:
> Hi,
>
> Today, chatting in #debian-devel, Ansgar very well noticed that Cinder
> rootwrap has this in /etc/cinder/rootwrap.conf:
>
> chown: CommandFilter, /bin/chown, root
>
> What's the point of having rootwrap is we allow the use of chown? That's
> equivalent to running as root:
>
> chown cinder /bin/bash
>
> game over...

Your reasoning assumes that *any* security issue that might happen with 
eg. the Cinder daemon is equivalent to running arbitrary commands as the 
cinder user, which isn't true. There can be issues that let the attacker 
run any command, but there are also issues that only let them do much 
less harm: preventing the latter is also good.

Having a service running with its own uid except for a few commands is 
still better than running as root all the time. Security isn't always 
about absolutes.

That said, there is probably room for improvement. For example, the 
rootwrap config can be changed to provide tighter security, for instance 
see the RegExpFilter:
http://wiki.openstack.org/Nova/Rootwrap

In this particular case, you could identify eg. different file path 
prefixes that suffice for operations, and configure something like this:

chown: RegExpFilter, root, /bin/chown, --, root, /foo/bar/volume-.*

But the prefixes depend on the installation details.


JM

>
> Nova has the same problem. There might be others (quantum?), I haven't
> dug so much...
>
> It's dangerous if we are considering that we aren't root, when really,
> we do have all the root capabilities. I hope that nobody is seriously
> thinking about enforcing any kind of security policies this way.
>
> Comments anyone?
>
> Thomas
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>