[Openstack-security] [Bug 1081795] Re: oslo.rootwrap IpFilter fails to prevent ip netns exec
Thierry Carrez
thierry.carrez+lp at gmail.com
Fri Feb 7 14:44:39 UTC 2014
It looks like you can't have parameters between netns and exec, so we
could check for presence of ['netns', 'exec'] slice within the arg list.
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1081795
Title:
oslo.rootwrap IpFilter fails to prevent ip netns exec
Status in Oslo - a Library of Common OpenStack Code:
Triaged
Bug description:
This is an oslo.rootwrap bug.
IpFilter is designed to allow any ip command, unless the second
parameter is "netns" (in which case you only allow ip netns
{list,add,delete}.
The trick is it's trivial to work around this (just run 'ip -s netns
exec').
Once that's fixed, Nova should update from using a CommandFilter to
using the IpFilter for calling 'ip'.
To manage notifications about this bug go to:
https://bugs.launchpad.net/oslo/+bug/1081795/+subscriptions
More information about the Openstack-security
mailing list