[openstack-dev] [nova][cinder][neutron][security] Rootwrap on root-intensive nodes
Jeremy Stanley
fungi at yuggoth.org
Wed Feb 4 16:44:25 UTC 2015
On 2015-02-04 11:58:03 +0100 (+0100), Thierry Carrez wrote:
[...]
> The second problem is the quality of the filter definitions. Rootwrap is
> a framework to enable isolation. It's only as good as the filters each
> project defines. Most of them rely on CommandFilters that do not check
> any argument, instead of using more powerful filters (which are arguably
> more painful to maintain). Developers routinely add filter definitions
> that basically remove any isolation that might have been there, like
> allowing blank dd, tee, chown or chmod.
[...]
This part is my biggest concern at the moment, from a vulnerability
management standpoint. I'm worried that it's an attractive nuisance
resulting in a false sense of security in its current state because
we're not calling this shortcoming out explicitly in documentation
(as far as I'm aware), and so we're opening our operators/users up
to unexpected risks and opening ourselves up to the possibility of a
slew of vulnerability reports because this mechanism doesn't provide
the level of protection it would seem to imply.
--
Jeremy Stanley
More information about the OpenStack-dev
mailing list