[openstack-dev] [fuel][plugins]Security problem in Fuel 7.0
Roman Prykhodchenko
me at romcheg.me
Mon Dec 7 16:48:59 UTC 2015
Alexey,
thank you for bringing this up. IMO discussing security problems is better to be done in a special kind of Launchpad bugs.
- romcheg
> 7 груд. 2015 р. о 17:36 Alexey Elagin <aelagin at mirantis.com> написав(ла):
>
> Hello all,
>
> We have a security problem in Fuel 7.0. It's related to plugin
> development and allows to execute code in mcollective docker container
> on Fuel master node. Any fuel plugin may contains a yaml file with
> deployment tasks (tasks.yaml, deployment_tasks.yaml etc) and there is
> an ability to run some code on node with role "master". It's also
> possible to connect to any target node via ssh without a password from
> within the container.
>
> As i understood, it was made to simplify some deployment cases. I see
> some steps for resolving this situation:
> 1. Fuel team should disallow
> execution of any puppet manifests or bash code on nodes with master
> role.
> 2. Append the Fuel documentation. Notify users about this
> security issue.
>
> What do you think about it? What deployment cases which require
> execution of code on role "master" do you know?
>
> --
> Best regards,
> Alexey
> Deployment Engineer
> Mirantis, Inc
> Cell: +7 (968) 880 2288
> Skype: shikelbober
> Slack: aelagin
> mailto:aelagin at mirantis.com
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20151207/ec039003/attachment.pgp>
More information about the OpenStack-dev
mailing list