Cinder's rootwrap filters allow to run find as root, which allows arbitrary commands

John/Doug, thoughts on how and where we want to mitigate this initially? Patch rootwrap in Cinder first, then replicate that change to Oslo once the security advisory is published?

The issue does not live in Oslo. It lives in the filters that are shipped with Cinder. So that would only need to be fixed in Cinder.

That said, I'm not sure that would be security advisory material. The cinder user already has (limited) escalation to root, the rootwrap is just trying hard to limit the extent of it. Find is clearly not the only command that can be easily abused in Cinder volume.filters: this one also allows dd, chown, ln, chmod and mv... which can all be abused to fully escalate the cinder user to the root user on Cinder.

Like nova compute nodes, cinder volume nodes run, in effect, as root. Rootwrap is a tool that can be used to limit root escalation, but on those nodes there is still a lot of work to do before they can be considered truly isolated. Those efforts would fall into strengthening, rather than vulnerability fixing, since those weaknesses cannot be directly exploited (attacker needs to be able to execute code as the cinder user first).

This is very much like https://bugs.launchpad.net/nova/+bug/1081795 -- and the comment I made there also applies to this bug:

"""
So I would count this as a welcome strengthening step, but not issue an advisory about it (which could be interpreted as "we vouch that this user can't be escalated to root anymore") [...]

I'm also for making this bug public, unless one of you object.
"""

that's ok with me.

Thierry's assessment seems correct to me.

I'm in agreement with Thierry's assessment as well.

I too agree, so switched it to public with no associated advisory.

Fix proposed to branch: master
Review: https://review.openstack.org/75629

Related fix proposed to branch: master
Review: https://review.openstack.org/76529

Reviewed: https://review.openstack.org/75629
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=6af10e84e1a3f1e4673bc2f58142269a2bfeefcf
Submitter: Jenkins
Branch: master

commit 6af10e84e1a3f1e4673bc2f58142269a2bfeefcf
Author: Daniel Gollub <email address hidden>
Date: Wed Feb 19 07:37:20 2014 +0100

    Restrict rootwrap find filter for NetAppNFS driver

    Additional make the name of the filter unique, so it does not override
    any other rule. Like the find rule of the GPFS driver.
    Rootwrap is making use of plain python ConfigParser which handles INI files
    with key=value pair like fashion. Where the key is unique.

    Closes-Bug: 1250101

    Change-Id: Id2f193485089e12f00008b38fad2b95a09674ff2

Reviewed: https://review.openstack.org/76529
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=2c44cfa2db0cd1a5ba6c02581b34136d7ee5d4fb
Submitter: Jenkins
Branch: master

commit 2c44cfa2db0cd1a5ba6c02581b34136d7ee5d4fb
Author: Daniel Gollub <email address hidden>
Date: Wed Feb 19 07:41:24 2014 +0100

    Restrict rootwrap find filter for IBM NAS and GPFS

    Additional make the name of the filter unique, so it does not override
    any other rule. Like the find rule of the NetAppNFS driver.
    Rootwrap is making use of plain python ConfigParser which handles INI files
    with key=value pair like fashion. Where the key is unique.

    Related-Bug: 1250101

    Change-Id: I56a96084dc736e73e3e9533803f65956699891a0