[Openstack-security] Security Anti-Patterns

Kurt Seifried kseifried at redhat.com
Thu May 29 17:13:40 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/29/2014 12:47 AM, Clark, Robert Graham wrote:
> I certainly share your frustration, I think the idea with the 
> anti-patterns is to document the things that get done badly most
> often in OpenStack and format them in a way that¹s easily
> consumable by core devs and PTLs. The list should be short enough
> that they can refer back to it while reviewing new features.
> 
> It¹s not going to fix anything on it¹s own but anything we can do
> to help developers not make the same mistakes which, as you point
> out, have been made for the last 20 years - is a good thing.
> 
> -Rob

So a concrete example, I wrote this in 2012? Nothing new, all this
goes back a few decades:

https://kurt.seifried.org/2012/03/14/creating-temporary-files-securely/

Then I checkout all the source code:

http://git.openstack.org/cgit

find ./ -name "*.py" -o -name "*.sh" | xargs grep "/tmp/" | grep -v
test | grep -v "#"

344 results, some of the more severe ones that probably need CVE's:

./neutron/neutron/plugins/openvswitch/agent/xenapi/contrib/build-rpm.sh:rm
- -rf /tmp/$PACKAGE
./neutron/neutron/plugins/openvswitch/agent/xenapi/contrib/build-rpm.sh:mkdir
/tmp/$PACKAGE
./neutron/neutron/plugins/openvswitch/agent/xenapi/contrib/build-rpm.sh:cp
- -r ../etc/xapi.d /tmp/$PACKAGE

and then trove:

./trove/trove/guestagent/datastore/redis/service.py:TMP_REDIS_CONF =
'/tmp/redis.conf.tmp'
./trove/trove/guestagent/datastore/cassandra/system.py:CASSANDRA_TEMP_CONF
= "/tmp/cassandra.yaml"
./trove/trove/guestagent/datastore/cassandra/system.py:CASSANDRA_TEMP_DIR
= "/tmp/cassandra"
./trove/trove/guestagent/datastore/cassandra/system.py:CASSANDRA_STATUS =
"""echo "use system;" > /tmp/check; cqlsh -f /tmp/check"""
./trove/trove/guestagent/datastore/mysql/service.py:TMP_MYCNF =
"/tmp/my.cnf.tmp"
./trove/trove/guestagent/datastore/mysql/service.py:MYCNF_OVERRIDES_TMP =
"/tmp/overrides.cnf.tmp"
./trove/trove/guestagent/datastore/mongodb/system.py:TMP_CONFIG =
"/tmp/mongodb.conf.tmp"
./trove/trove/guestagent/strategies/restore/mysql_impl.py:
            ' --ibbackup xtrabackup 2>/tmp/innoprepare.log')
./trove/trove/guestagent/strategies/restore/mysql_impl.py:
            ' 2>/tmp/innoprepare.log')
./trove/trove/guestagent/strategies/backup/mysql_impl.py:
'2>/tmp/mysqldump.log' %
./trove/trove/guestagent/strategies/backup/mysql_impl.py:
  ' /var/lib/mysql 2>/tmp/innobackupex.log'
./trove/trove/guestagent/strategies/backup/mysql_impl.py:        with
open('/tmp/innobackupex.log', 'r') as backup_log:
./trove/trove/guestagent/strategies/backup/mysql_impl.py:        with
open('/tmp/innobackupex.log', 'r') as backup_log:
./trove/trove/guestagent/strategies/backup/mysql_impl.py:
  ' 2>/tmp/innobackupex.log')

Here's an amusing one:

./sahara/sahara/plugins/vanilla/v1_2_1/run_scripts.py:        'sudo su
- - -c "mkdir /tmp/oozielib && '
./sahara/sahara/plugins/vanilla/v1_2_1/run_scripts.py:        'tar zxf
/opt/oozie/oozie-sharelib-4.0.0.tar.gz -C /tmp/oozielib && '
./sahara/sahara/plugins/vanilla/v1_2_1/run_scripts.py:        'hadoop
fs -put /tmp/oozielib/share share && '
./sahara/sahara/plugins/vanilla/v1_2_1/run_scripts.py:        'rm -rf
/tmp/oozielib" hadoop')
./sahara/sahara/plugins/vanilla/v1_2_1/run_scripts.py:
remote.execute_command("mysql -u root < /tmp/create_oozie_db.sql")
./sahara/sahara/plugins/vanilla/v1_2_1/run_scripts.py:
remote.execute_command("mysql -u root < /tmp/create_hive_db.sql")

So in total there's about 100-300 of these that qualify as LOW
security vulns.

So yeah we can tell people not to do this, but apparently it's not
working. Plus there's a huge technical debt that needs to be cleared out.

Oh and for mode 666/777 stuff:

./nodepool/nodepool/nodepool.py:        host.ssh("chmod config dir",
"sudo chmod 0777 /etc/nodepool")
./trove/trove/guestagent/strategies/restore/mysql_impl.py:
utils.execute_with_timeout("chmod", "-R", "0777",
./anvil/anvil/distros/rhel.py:
sh.chmod(sh.joinpths(base_dir, fn), 0o666)
./sahara/sahara/plugins/hdp/versions/version_2_0_6/services.py:
     r.execute_command('su -c "hadoop fs -chmod -R 777 '
./sahara/sahara/plugins/hdp/versions/version_1_3_2/services.py:
     r.execute_command('su -c "hadoop fs -chmod -R 777 '
./manila/manila/share/drivers/generic.py:        command = ['sudo',
'chmod', '777', mount_path]
./manila/manila/share/drivers/lvm.py:
self._execute('chmod', '777', mount_path,
./cinder/cinder/volume/drivers/scality.py:        os.chmod(path, 0o666)
./cinder/cinder/volume/drivers/huawei/rest_common.py:
utils.execute('chmod', '777', filepath, run_as_root=True)
./cinder/cinder/volume/drivers/huawei/ssh_common.py:
utils.execute('chmod', '777', filepath, run_as_root=True)
./compass-core/bin/manage_db.py:
os.chmod(setting.DATABASE_FILE, 0o777)
./compass-core/install/cobbler.sh:sudo chmod 777 /var/lib/cobbler/snippets
./compass-core/install/cobbler.sh:sudo chmod -R 666
/var/lib/cobbler/snippets/*
./compass-core/install/cobbler.sh:sudo chmod 666
/var/lib/cobbler/kickstarts/default.ks
./compass-core/install/cobbler.sh:sudo chmod 666
/var/lib/cobbler/kickstarts/default.seed
./compass-core/install/compass.sh:sudo chmod -R 777 /opt/compass/db
./compass-core/install/compass.sh:sudo chmod -R 777 /var/log/compass

With advance apologies to Garth/Grant in case we end up with 100+ CVE's =)

- -- 
Kurt Seifried - Red Hat - Product Security - Cloud stuff and such
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJTh2rEAAoJEBYNRVNeJnmTemMQAJoh0YGmncufT3yNQSGpG2IW
DCuLWMqyIOOVtD8gO0pfeytEHIo83870ZbzsNXeLPzFsfTBUSWdq3APRklttNS3M
1KPfKopw4K2NRAjX4f6n+F8iY3opE9ytm8nm8uAvCC3GvSOYOOxHr/ixtsLdU47R
kZSJuasDUjLST2nipFI9zYkNZBy3aVtsYlHXhuy8giT4UAb3Sq/kIArFOADJkhPg
+RtwqA92KVE/ytLfYu/uBWU99/sUrDD1FvmljJE6mUDRi36eOZdc4hmvS9GVthBW
78upxZeWEgVUan7nA7mPe3etnG6xaLMFusD1hegmH9rUeO7XDDAKByaAqLYYN/7f
OyJ+9zVib8wklIdasQiGi7LBx9CGJrynl7/eWJoWjRI9JLR9esjhxS/GOp9AtNUM
4pxY1UUr3La+YmXRxPfqcO0XRMSRwHLO73an2ALbMbatVORuHlSq+oYRvWXDijb+
jC9uYKXUhTyj/AkVe2YBVLSCZX5lQ7kc62ivPkhfz2XmmTB2GJuYAulUMu/9lYG7
ALEKoj8AhWF8c4IWb87j/x0Vx+sc9siOtrArr5biMmNILZlAyjbRvgu4j7HVV0TL
+pBGYkbQahOSzW/2l7EjKxtM9CFTT97YQgSVFwwsD50BlPfvBxYNwa2JYGdtHnJt
RJ1lR3TeVKpaRm0jiU6O
=/xzE
-----END PGP SIGNATURE-----

More information about the Openstack-security mailing list