tripleo

openstack-tripleo-common: sudoers file is too permissive

Bug #1677315 reported by Toure Dunnon on 2017-03-29

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Expired	Undecided	Unassigned	tripleo stein-2

Bug Description

The sudoers files as installed with OSP's openstack-tripleo-common package is much too permissive. It contains several lines for the mistral user that have wildcards that allow directory traversal with ".." and it grants full passwordless root access to the validations user.

Tags:

CVE References

2017-2627

Revision history for this message

Toure Dunnon (toure) wrote on 2017-03-29:

sudoers.patch Edit (793 bytes, text/plain)

Changed in tripleo:
importance:	Undecided → Critical
status:	New → Triaged

Emilien Macchi (emilienm) on 2017-03-29

tags:	added: ocata-backport-potential security-hardening
Changed in tripleo:
milestone:	none → pike-1

Revision history for this message

Ben Nemec (bnemec) wrote on 2017-04-03:

I think we need to add a validations person to this bug to determine whether this will work. I suspect it may break some of the validations.

Ben Nemec (bnemec) on 2017-04-05

tags:

added: validations

Emilien Macchi (emilienm) on 2017-04-11

Changed in tripleo:
milestone:	pike-1 → pike-2

Emilien Macchi (emilienm) on 2017-06-08

Changed in tripleo:
milestone:	pike-2 → pike-3

Revision history for this message

Florian Fuchs (flo-fuchs) wrote on 2017-06-14:

The permissions are needed in order to let validations use Ansible's "become" flag, which runs commands as root. Currently 18 out of the 26 validations use that flag, for all kinds of tasks like reading config files, call hiera, get service statuses etc.

IIUC accepting the proposed patch would make these validations break. So we need to find a viable way to recognize the commands run as sudo in the current validations in the sudoers file (which potentially isn't so easy to identify, because some of them are called through builtin Ansible modules). Also, if we restrict what the validations user can do, we need to document this so authors of future validations know about the restrictions (and can suggest allowing further commands in the sudoers file if needed).

I can't think of something better right now. Ideas?

Emilien Macchi (emilienm) on 2017-07-30

Changed in tripleo:
milestone:	pike-3 → pike-rc1

Emilien Macchi (emilienm) on 2017-08-25

Changed in tripleo:
milestone:	pike-rc1 → pike-rc2

Emilien Macchi (emilienm) on 2017-09-05

Changed in tripleo:
milestone:	pike-rc2 → queens-1

Revision history for this message

Florian Fuchs (flo-fuchs) wrote on 2017-09-12:

This bug seems to have been re-opened in a separate report: https://bugs.launchpad.net/tripleo/+bug/1705709

The related commit has been merged, which breaks validations when run through mistral/UI (Details: https://bugs.launchpad.net/tripleo/+bug/1716625)

Emilien Macchi (emilienm) on 2017-10-23

Changed in tripleo:
milestone:	queens-1 → queens-2

Emilien Macchi (emilienm) on 2017-12-08

Changed in tripleo:
milestone:	queens-2 → queens-3

Emilien Macchi (emilienm) on 2018-01-26

Changed in tripleo:
milestone:	queens-3 → queens-rc1

Alex Schultz (alex-schultz) on 2018-03-02

Changed in tripleo:
milestone:	queens-rc1 → rocky-1

Alex Schultz (alex-schultz) on 2018-04-20

Changed in tripleo:
milestone:	rocky-1 → rocky-2

Emilien Macchi (emilienm) on 2018-06-05

Changed in tripleo:
milestone:	rocky-2 → rocky-3

Emilien Macchi (emilienm) on 2018-07-26

Changed in tripleo:
milestone:	rocky-3 → rocky-rc1

Alex Schultz (alex-schultz) on 2018-08-24

Changed in tripleo:
milestone:	rocky-rc1 → rocky-rc2

Alex Schultz (alex-schultz) on 2018-08-24

Changed in tripleo:
milestone:	rocky-rc2 → stein-1

Juan Antonio Osorio Robles (juan-osorio-robles) on 2018-10-30

Changed in tripleo:
milestone:	stein-1 → stein-2

Revision history for this message

Emilien Macchi (emilienm) wrote on 2018-12-29: Cleanup EOL bug report

This is an automated cleanup. This bug report has been closed because it
is older than 18 months and there is no open code change to fix this.
After this time it is unlikely that the circumstances which lead to
the observed issue can be reproduced.

If you can reproduce the bug, please:
* reopen the bug report (set to status "New")
* AND add the detailed steps to reproduce the issue (if applicable)
* AND leave a comment "CONFIRMED FOR: <RELEASE_NAME>"
Only still supported release names are valid (FUTURE, PIKE, QUEENS, ROCKY, STEIN).
Valid example: CONFIRMED FOR: FUTURE