[openstack-dev] Any use for rootwrap?

Thierry Carrez thierry at openstack.org
Mon Feb 4 16:25:21 UTC 2013


Jeremy Stanley wrote:
> On 2013-02-04 16:48:21 +0100 (+0100), Jean-Marc Saffroy wrote:
> [...]
>> In this particular case, you could identify eg. different file path
>> prefixes that suffice for operations, and configure something like
>> this:
>>
>> chown: RegExpFilter, root, /bin/chown, --, root, /foo/bar/volume-.*
> [...]
> 
> Not a great example, as the attacker can just chown
> /foo/bar/volume-57/../../../bin/sh and go about his business.
> Probably a good idea to filter pathnames through something which can
> canonicalize them before matching (including performing Unicode
> normalization). Looking through the rootwrap implementation in
> oslo-incubator, I didn't see any features for sanitizing filename
> parameters to mitigate potential directory traversal and reencoding
> style filter evasions--hopefully I just overlooked it somewhere in
> there.

I'd like to have a PathFilter that would be smarter than a regexpfilter
can be with paths, introspecting as root the final destination to cancel
any traversal/symlink trick. That would go a long way into securing
those obnoxious open calls to chown, chmod, cat or dd.

See the bug at:
https://bugs.launchpad.net/oslo/+bug/1098568

-- 
Thierry Carrez (ttx)
Release Manager, OpenStack



More information about the OpenStack-dev mailing list