neutron

rootwrap filter for ip netns exec

Bug #1044083 reported by dan wendlandt
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
Mark McClain
neutron 2012.2 "folsom"

Bug Description

There is a security hole when using rootwrap with Quantum, since rootwrap allows the use of "ip netns exec" to run commands in a particular namespace. This could be used to subvert rootwrap and run arbitrary commands.

The solution is to create a special filter type that only allows certain allowed required commands to be executed within a namespace.

dan wendlandt (danwent)
Changed in quantum:
importance: Undecided → High
milestone: none → folsom-rc1
assignee: nobody → john dunning (jrd-q)
dan wendlandt (danwent)
Changed in quantum:
status: New → Confirmed
dan wendlandt (danwent)
Changed in quantum:
assignee: john dunning (jrd-q) → Mark McClain (markmcclain)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to quantum (master)

Fix proposed to branch: master
Review: https://review.openstack.org/12388

Changed in quantum:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to quantum (master)

Reviewed: https://review.openstack.org/12388
Committed: http://github.com/openstack/quantum/commit/28df8f6d8f2fddf5fb5751eb5100d40a9b4745fa
Submitter: Jenkins
Branch: master

commit 28df8f6d8f2fddf5fb5751eb5100d40a9b4745fa
Author: Mark McClain <email address hidden>
Date: Tue Sep 4 19:50:00 2012 -0400

    add rootwrap filters to wrap ip netns exec

    fixes bug 1044083

    This patch adds specific filters for the ip command. The first filter
    matches ip with any subcomand except netns exec. The second filter
    matches "ip netns exec" and then relies on the caller (match_filter) to
    verify the sub-command against the other filters. Matching the
    subcommand separately allows for a single set of filter definitions that
    work with and without namespaces.

    Change-Id: Ifd0378dc3461f84867efb3cb60396d9cfa9e582d

Changed in quantum:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in quantum:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in quantum:
milestone: folsom-rc1 → 2012.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.