rootwrap ConfigParser behavior
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
Low
|
Thierry Carrez |
Bug Description
Rootwrap may leak some information that it shouldn't -- it can allow people with sudo access to rootwrap to read data that is only readable by root. ConfigParser prints the beginning of files that it can't parse.
$ sudo /usr/bin/
Traceback (most recent call last):
File "/usr/bin/
execfile(
File "/opt/stack/
config.
File "/usr/lib64/
self._read(fp, filename)
File "/usr/lib64/
raise MissingSectionH
ConfigParser.
file: /etc/shadow, line: 1
'root:$
Flagged as security bug because it may have some implications there, hard to say.
Changed in nova: | |
status: | Confirmed → In Progress |
assignee: | nobody → Thierry Carrez (ttx) |
Changed in nova: | |
milestone: | none → grizzly-2 |
status: | Fix Committed → Fix Released |
Changed in nova: | |
milestone: | grizzly-2 → 2013.1 |
I was talking to Eric about this on IRC. My inclination is to not treat it as a security vulnerability since I don't see any path to exploit it. However, it does seem like something worth changing.
@ttx, thoughts?