Cinder

cinder allows 'env' as commandfilter in rootwrap

Bug #1269958 reported by Dirk Mueller on 2014-01-16

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Cinder	Fix Released	Medium	Dirk Mueller	Cinder 2014.1 "icehouse"

Bug Description

cinder/image/image_utils.py uses

  def qemu_img_info(path):
      """Return a object containing the parsed output from qemu-img info."""
      out, err = utils.execute('env', 'LC_ALL=C', 'LANG=C',
                               'qemu-img', 'info', path,
                               run_as_root=True)
      return QemuImgInfo(out)

This was added as part of I849b04b8aae76da068abcd2a20c1fcecca8a5caa

There is nothing wrong with that per se, however the rootwrap filters were updated with:

+ env: CommandFilter, /usr/bin/env, root

env is a wrapper that allows to run any command in the $PATH, so this is more or less equivalent to allowing bash in commandfilter. As a hardening precaution, env should not be allowed in CommandFilter.

The code in question can be easily reworked and EnvFilter can be used instead to harden the check.

Revision history for this message

John Griffith (john-griffith) wrote on 2014-01-16:

Seems this should be fixed up in other places as well, including the brick/local_dev/lvm.py code.

Changed in cinder:
status:	New → Triaged
importance:	Undecided → Medium
assignee:	nobody → John Griffith (john-griffith)

OpenStack Infra (hudson-openstack) on 2014-01-16

Changed in cinder:
assignee:	John Griffith (john-griffith) → Dirk Mueller (dmllr)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-01-22: Fix merged to cinder (master)

Reviewed: https://review.openstack.org/67313
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=9c1ad54e7815d50d9561d88337724ad2042c92a2
Submitter: Jenkins
Branch: master

commit 9c1ad54e7815d50d9561d88337724ad2042c92a2
Author: Dirk Mueller <email address hidden>
Date: Thu Jan 16 22:59:41 2014 +0100

Remove env from rootwrap filter

    Allowing 'env' as a CommandFilter is similar to
    allowing '/bin/bash', which makes all of rootwrap pointless.
    Use EnvFilter instead. Change corresponding commands
    that use env for setting C locale and adjust rootwrap
    filters accordingly.

    Several commands that output information that is
    parsed as input by cinder change their behavior
    based on the environment locale, which is depending
    on local system settings. The code is however only
    able to parse in C locale, so enforce that one.

Closes-Bug: #1269958

Change-Id: Ie1463e608c80204c7a8906efb95899a66aa733da

Changed in cinder:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2014-01-22

Changed in cinder:
milestone:	none → icehouse-2
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2014-04-17

Changed in cinder:
milestone:	icehouse-2 → 2014.1

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.