[openstack-dev] Any use for rootwrap?
Jeremy Stanley
fungi at yuggoth.org
Mon Feb 4 16:17:44 UTC 2013
On 2013-02-04 16:48:21 +0100 (+0100), Jean-Marc Saffroy wrote:
[...]
> In this particular case, you could identify eg. different file path
> prefixes that suffice for operations, and configure something like
> this:
>
> chown: RegExpFilter, root, /bin/chown, --, root, /foo/bar/volume-.*
[...]
Not a great example, as the attacker can just chown
/foo/bar/volume-57/../../../bin/sh and go about his business.
Probably a good idea to filter pathnames through something which can
canonicalize them before matching (including performing Unicode
normalization). Looking through the rootwrap implementation in
oslo-incubator, I didn't see any features for sanitizing filename
parameters to mitigate potential directory traversal and reencoding
style filter evasions--hopefully I just overlooked it somewhere in
there.
--
Jeremy Stanley
More information about the OpenStack-dev
mailing list