[Openstack-security] [Bug 1700501] Re: Insecure rootwrap usage
Sean Dague
sean at dague.net
Wed Jun 28 10:33:04 UTC 2017
This is too vague to be actionable. There is one example, and it's not
clear where in the system the concern is. And the kinds of changes to
make this be as restricted as one would like really don't lead well to a
bug, but would require a more systematic push to really embrace
something like privsep.
In general, the use of root wrap on nova-compute is honestly pointless
in my pov. Besides chmod, cat, dd and a few others are running more or
less unrestricted. It just doesn't make for a useful security model.
** Changed in: nova
Status: New => Incomplete
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1700501
Title:
Insecure rootwrap usage
Status in Cinder:
New
Status in Manila:
New
Status in OpenStack Compute (nova):
Incomplete
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
Reported by Benjamin Deuter of SUSE:
Some rootwrap filters are too permissive and allow privilege
escalation from service user, as explained here:
https://security.openstack.org/guidelines/dg_use-oslo-rootwrap-
securely.html#incorrect
For example this shouldn't be authorized:
sudo nova-rootwrap /etc/nova/rootwrap.conf chmod 777 /etc/shadow
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1700501/+subscriptions
More information about the Openstack-security
mailing list