[Openstack-security] eventlet_backdoor.py
Thomas Biege
thomas at suse.de
Mon Feb 10 17:19:27 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Am 10.02.2014 17:54, schrieb Daniel P. Berrange:
> On Mon, Feb 10, 2014 at 05:42:08PM +0100, Thomas Biege wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>
>> Hi, are there plans to rename the eventlet_backdoor.py module
>> used in the OpenStack code at various places?
>>
>> The naming is bad and creates the impression that a backdoor is
>> in OpenStack. In the current situation it might be an issue the
>> press/blogs are waiting for.
>>
>> Even if renamed the openstack documentation should make it very
>> clear what happens if the admins switches on this option.
>>
>> What do you think?
>
> NB if you enable this feature you basically *have* setup a backdoor
> into the app for anyone who can connect to the nominated TCP port.
> So in that sense this is actually accurately named and should serve
> to discourage any deployers from enabling it without considering
> the consequences.
I am not sure that the name alone creates enough awareness. I also
fear that the feature gets switched on, the problem is debugged, and
then it will not be turned off again. Like ATMs that eject the money
first and then the debit card, which leads to the card being left in
the card reader slot because the customer has what he wants, the money.
What about removing or restricting the feature?
Bye,
Thomas
>
> Daniel
>
- --
Thomas Biege <thomas at suse.de>, Team Leader MaintenanceSecurity, CSSLP
SUSE LINUX Products GmbH
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer
HRB 21284 (AG Nürnberg)
- --
Wer aufhoert besser werden zu wollen, hoert auf gut zu sein.
-- Marie von Ebner-Eschenbach
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJS+QofAAoJEJqHoVJVjr8DLDAH/jN/WSok7tSTHzsGEMiE5kpQ
mWtsMr2ByQ2nv4Oo8yI7feXLms8XPYz/rG+CknVkaJ43vm7XNnrWcDMtUJILf2Wk
xYAhJeAIVdgOu8bZi8tKgtKUlm30uyZQpppl0dV1cBmqYNsL990tcRSWvxY9nCD0
ZpzGziREIi6Sj9S/pc3XlJ8RaUoe6BhJii0erNQ7E0nOSu/0AGunm6Q+fvM874Yf
6scOcOXzz6zpyVa668mp0jDumlsSZeLjnTxLDXA/WN6H8QM5Rqy2ea9/RGnBfaJ7
6dDaU0dE1GlkfsNZzOOa0xd7cyz4mHte9lKL1+Ekjh0J3lUqLG7NMVpNIGauspo=
=4M0m
-----END PGP SIGNATURE-----
More information about the Openstack-security
mailing list