[openstack-dev] Any use for rootwrap?
Jean-Marc Saffroy
jean.marc.saffroy at scality.com
Mon Feb 4 16:35:34 UTC 2013
On 02/04/2013 05:17 PM, Jeremy Stanley wrote:
> On 2013-02-04 16:48:21 +0100 (+0100), Jean-Marc Saffroy wrote:
> [...]
>> In this particular case, you could identify eg. different file path
>> prefixes that suffice for operations, and configure something like
>> this:
>>
>> chown: RegExpFilter, root, /bin/chown, --, root, /foo/bar/volume-.*
> [...]
>
> Not a great example, as the attacker can just chown
> /foo/bar/volume-57/../../../bin/sh and go about his business.
Ah, yes. Still with regexp, maybe better:
chown: RegExpFilter, root, /bin/chown, --, root,
^/foo/bar/volume-[0-9a-z-]*$
But regex-based security has quite a bad track record, I agree. :)
Disabling file globbing in the subshell would be good too, and avoiding
the use of a shell would be even better.
JM
> Probably a good idea to filter pathnames through something which can
> canonicalize them before matching (including performing Unicode
> normalization). Looking through the rootwrap implementation in
> oslo-incubator, I didn't see any features for sanitizing filename
> parameters to mitigate potential directory traversal and reencoding
> style filter evasions--hopefully I just overlooked it somewhere in
> there.
>
More information about the OpenStack-dev
mailing list