harden kolla horzion usage of /tmp/
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
kolla-ansible | Status tracked in Dalmatian | |||||
Antelope |
New
|
Undecided
|
Unassigned | |||
Bobcat |
New
|
Undecided
|
Unassigned | |||
Caracal |
New
|
Undecided
|
Unassigned | |||
Dalmatian |
In Progress
|
Low
|
Sven Kieske |
Bug Description
currently kolla-ansible bindmounts /tmp/ from the docker host (so usually the control-plane node) inside the container.
The Webapp itself runs as user horizon, but the Webserver (apache2) runs as root and is able to manipulate arbitrary files in private tmp dirs of services running inside other namespaces/
dragon@ctl001:~$ docker exec -it --user=root horizon bash
(horizon)
(horizon)
(horizon)
total 8.0K
2097732 4.0K drwxrwxrwt 2 0 0 4.0K Jun 5 07:55 .
2097731 4.0K drwx------ 3 0 0 4.0K Jun 5 07:50 ..
2097519 0 -rw-r--r-- 1 0 0 0 Jun 5 07:55 pwned
dragon@ctl001:~$ sudo su -
root@ctl001:~# ls -lashin /tmp/systemd-
total 8.0K
2097732 4.0K drwxrwxrwt 2 0 0 4.0K Jun 5 07:55 .
2097731 4.0K drwx------ 3 0 0 4.0K Jun 5 07:50 ..
2097519 0 -rw-r--r-- 1 0 0 0 Jun 5 07:55 pwned
I'll provide a patch for that.
See also my downstream bug report at:
https:/
I found this bug when researching kolla-ansible for unsafe usage of /tmp/ directories.
Changed in kolla-ansible: | |
assignee: | nobody → Sven Kieske (s-kieske) |
Changed in kolla-ansible: | |
milestone: | none → 19.0.0 |
importance: | Undecided → Low |
Fix proposed to branch: master /review. opendev. org/c/openstack /kolla- ansible/ +/921371
Review: https:/