Open Stack

Well, there is proposed code is up to start moving to privsep, but it's not
a priority right now...

Michael

On 28 Jun. 2017 8:41 pm, "Sean Dague" <sean at dague.net> wrote:

> This is too vague to be actionable. There is one example, and it's not
> clear where in the system the concern is. And the kinds of changes to
> make this be as restricted as one would like really don't lead well to a
> bug, but would require a more systematic push to really embrace
> something like privsep.
>
> In general, the use of root wrap on nova-compute is honestly pointless
> in my pov. Besides chmod, cat, dd and a few others are running more or
> less unrestricted. It just doesn't make for a useful security model.
>
> ** Changed in: nova
>        Status: New => Incomplete
>
> --
> You received this bug notification because you are a member of Nova Core
> security contacts, which is subscribed to the bug report.
> https://bugs.launchpad.net/bugs/1700501
>
> Title:
>   Insecure rootwrap usage
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/cinder/+bug/1700501/+subscriptions
>

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1700501

Title:
  Insecure rootwrap usage

Status in Cinder:
  New
Status in Manila:
  New
Status in OpenStack Compute (nova):
  Incomplete
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Reported by Benjamin Deuter of SUSE:

  Some rootwrap filters are too permissive and allow privilege
  escalation from service user, as explained here:

  https://security.openstack.org/guidelines/dg_use-oslo-rootwrap-
  securely.html#incorrect

  For example this shouldn't be authorized:

  sudo nova-rootwrap /etc/nova/rootwrap.conf chmod 777 /etc/shadow

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1700501/+subscriptions