nova-rootwrap does a poor job of validating parameters
Bug #948520 reported by
Joe Gordon
This bug affects 5 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
Won't Fix
|
Wishlist
|
Unassigned | ||
OpenStack Compute (nova) |
Invalid
|
Wishlist
|
Unassigned | ||
oslo-incubator |
Invalid
|
Medium
|
Unassigned |
Bug Description
Although nova-rootwrap does limit which commands can be run as root, it doesn't validate the parameters passed through.
For example, '/bin/dd' is allowed by by 'nova/rootwrap/
'sudo nova-rootwrap dd if=/tmp/mypw of=/etc/passwd'
This means that if someone can get nova user access they can gain root access.
Changed in cinder: | |
status: | New → Triaged |
importance: | Undecided → Wishlist |
Changed in oslo: | |
importance: | Undecided → Medium |
status: | New → Triaged |
Changed in nova: | |
status: | Triaged → Confirmed |
Changed in nova: | |
status: | Confirmed → Invalid |
Changed in cinder: | |
status: | Triaged → Won't Fix |
To post a comment you must log in.
Completely agree. We still need to add custom CommandFilters for a lot of commands, in particular those chown/chmod/dd running on compute/network nodes, if we want to efficiently prevent nova->root privilege escalation.
nova-rootwrap just provides the framework allowing to do that (previously we used plain "sudo" which didn't allow any filtering at all), and provides node separation (so the user-facing nova-api can't run any command as root at all). So it's an incremental improvement compared to previous versions, but it's not perfect yet.
That was on my TODO for essex by I just didn't get to it. Will do in Folsom though, if nobody beats me to it.