[Openstack] security blueprint related to os binaries

Victor Lowther victor.lowther at gmail.com
Tue May 14 18:00:10 UTC 2013


If an attacker can put a binary in /usr/local/bin, they already have root
and we are doomed anyways.  If you are still worried about it, reorder PATH
so that /usr/local/whatever comes last instead of first.


On Tue, May 14, 2013 at 10:38 AM, Vasiliy Khomenko <
vkhomenko at griddynamics.com> wrote:

> Attacker can put binary in /usr/local/bin for example. on ubuntu that path
> located before /usr/bin.
> We could create some templates with absolute paths to binaries for each
> distro (deb-based, rhel-based) and auto-detect them.
>
>
>
> On Tue, May 14, 2013 at 3:36 PM, Victor Lowther <victor.lowther at gmail.com>wrote:
>
>> Err, sounds like a lot of work to make the code more fragile.  If you
>> want to be paranoid about launching the right command, do it by
>> sanity-checking $PATH, not by hardcoding the path of all the executables
>> you call.
>>
>>
>> On Tue, May 14, 2013 at 5:56 AM, Stanislav Pugachev <
>> spugachev at griddynamics.com> wrote:
>>
>>> Hi,
>>> I've added a blueprint
>>> https://blueprints.launchpad.net/hacking/+spec/absolute-paths-of-os-binaries
>>> Please, take a look and let's discuss it if it makes sense.
>>> Thank you
>>> Stas.
>>>
>>>
>>>
>>> _______________________________________________
>>> Mailing list: https://launchpad.net/~openstack
>>> Post to     : openstack at lists.launchpad.net
>>> Unsubscribe : https://launchpad.net/~openstack
>>> More help   : https://help.launchpad.net/ListHelp
>>>
>>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to     : openstack at lists.launchpad.net
>> Unsubscribe : https://launchpad.net/~openstack
>> More help   : https://help.launchpad.net/ListHelp
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130514/080bd0a2/attachment.html>


More information about the Openstack mailing list