[Openstack-security] [Bug 1765734] Fix included in openstack/oslo.rootwrap 5.14.1
OpenStack Infra
1765734 at bugs.launchpad.net
Tue May 15 04:11:53 UTC 2018
This issue was fixed in the openstack/oslo.rootwrap 5.14.1 release.
--
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1765734
Title:
one can bypass filters and execute arbitrary commands on namespaces
Status in oslo.rootwrap:
Fix Released
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
When this filter [0] is enabled in conjunction with IpNetnsExecFilter,
only commands allowed explicitly through the CommandFilter should get
to execute in the specified namespace.
However, due to the fact that these two commands are exactly the same:
ip netns exec $namespace echo $my_ssh_key >> /root/.ssh/authorized_keys
ip net exec $namespace echo $my_ssh_key >> /root/.ssh/authorized_keys
One can execute the latter without any CommandFilter for the 'echo' command.
This is a big security issue since anyone can make changes to the filesystem and execute arbitrary commands bypassing the IpNetnsExecFilter.
The solution is simply patching this code [1] by checking that the
second element starts with 'net', and the third one starts with 'e'.
[0] ip: IpFilter, ip, root
[1] https://github.com/openstack/oslo.rootwrap/blob/0fa59b04e89ad94085780550466368e6f351a9e1/oslo_rootwrap/filters.py#L376
To manage notifications about this bug go to:
https://bugs.launchpad.net/oslo.rootwrap/+bug/1765734/+subscriptions
More information about the Openstack-security
mailing list