kolla-ansible

harden kolla horizon usage of /tmp/

Series caracal
Bug #2068126

Bug #2068126 reported by Sven Kieske on 2024-06-05

256

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
kolla-ansible	Status tracked in Dalmatian
Antelope	In Progress	Low	Unassigned
Bobcat	In Progress	Low	Unassigned
Caracal	In Progress	Low	Unassigned
Dalmatian	Fix Released	Low	Sven Kieske	kolla-ansible 19.0.0
Yoga	In Progress	Low	Unassigned
Zed	In Progress	Low	Unassigned

Bug Description

currently kolla-ansible bindmounts /tmp/ from the docker host (so usually the control-plane node) inside the container.

The Webapp itself runs as user horizon, but the Webserver (apache2) runs as root and is able to manipulate arbitrary files in private tmp dirs of services running inside other namespaces/containers on the host, including admin system services like systemd-logind:

dragon@ctl001:~$ docker exec -it --user=root horizon bash
(horizon)[root@ctl001 /]# cd /tmp/systemd-private-9dd6fe4987b6480e821f3e5a0333b4b7-systemd-logind.service-srLJIk/tmp/
(horizon)[root@ctl001 tmp]# touch pwned
(horizon)[root@ctl001 tmp]# ls -lashin
total 8.0K
2097732 4.0K drwxrwxrwt 2 0 0 4.0K Jun 5 07:55 .
2097731 4.0K drwx------ 3 0 0 4.0K Jun 5 07:50 ..
2097519 0 -rw-r--r-- 1 0 0 0 Jun 5 07:55 pwned
dragon@ctl001:~$ sudo su -
root@ctl001:~# ls -lashin /tmp/systemd-private-9dd6fe4987b6480e821f3e5a0333b4b7-systemd-logind.service-srLJIk/tmp
total 8.0K
2097732 4.0K drwxrwxrwt 2 0 0 4.0K Jun 5 07:55 .
2097731 4.0K drwx------ 3 0 0 4.0K Jun 5 07:50 ..
2097519 0 -rw-r--r-- 1 0 0 0 Jun 5 07:55 pwned

I'll provide a patch for that.

See also my downstream bug report at:

https://github.com/osism/issues/issues/1047

I found this bug when researching kolla-ansible for unsafe usage of /tmp/ directories.

Tags:

Sven Kieske (s-kieske) on 2024-06-05

Changed in kolla-ansible:
assignee:	nobody → Sven Kieske (s-kieske)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-06-05: Fix proposed to kolla-ansible (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/921371

Changed in kolla-ansible:
status:	New → In Progress

Sven Kieske (s-kieske) on 2024-06-21

Changed in kolla-ansible:
milestone:	none → 19.0.0
importance:	Undecided → Low

Dr. Jens Harbott (j-harbott) on 2024-08-28

summary:

- harden kolla horzion usage of /tmp/
+ harden kolla horizon usage of /tmp/

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-08-28: Fix merged to kolla-ansible (master)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/921371
Committed: https://opendev.org/openstack/kolla-ansible/commit/f306e9ca88796f3f77fb2f3fef343c167d11b13a
Submitter: "Zuul (22348)"
Branch: master

commit f306e9ca88796f3f77fb2f3fef343c167d11b13a
Author: Sven Kieske <email address hidden>
Date: Wed Jun 5 11:49:59 2024 +0200

hardening horizon: don't mount hosts /tmp

    consider this a security hardening
    as it would be possible to write to host
    owned private tmp files e.g. of systemd-logind
    when you are able to highjack the apache2 process
    inside the horizon container, which runs as root.

see the bug report for a demonstration of this.

I checked the horizon code, it only facilitates
python tempfiles module for temp file usage.

    I also checked the horizon container we build
    via `kolla-build -b ubuntu horizon`, which has
    a /tmp/ directory.
    So no mountpoint should be needed.

Closes-Bug: #2068126

Signed-off-by: Sven Kieske <email address hidden>
Change-Id: I7ae1db8d42c83b773047bb01e846d4abee02710a

Changed in kolla-ansible:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-08-29: Fix proposed to kolla-ansible (stable/2024.1)

Fix proposed to branch: stable/2024.1
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/927468

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-08-29: Fix proposed to kolla-ansible (stable/2023.2)

Fix proposed to branch: stable/2023.2
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/927469

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-08-29: Fix proposed to kolla-ansible (stable/2023.1)

Fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/927470

Revision history for this message

OpenStack Infra (hudson-openstack) wrote 2 hours ago: Fix proposed to kolla-ansible (unmaintained/zed)

Fix proposed to branch: unmaintained/zed
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/927661

Revision history for this message

OpenStack Infra (hudson-openstack) wrote 2 hours ago: Fix proposed to kolla-ansible (unmaintained/yoga)

Fix proposed to branch: unmaintained/yoga
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/927662

Maksim Malchuk (mmalchuk) 2 hours ago

tags:	added: security
information type:	Public → Public Security

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.