Launchpad itself

P3A subscribers can obtain the buildd_secret

Bug #600910 reported by William Grant
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
High
Colin Watson

Bug Description

Since users now hold launchpad.View over their subscribed P3As, they can add them as dependencies and fire off a build, easily obtaining the buildd secret for any subscribed archive. Revoking their subscription will then not be effective, as they can simply use the internal buildd credentials.

OEM Services currently use the buildd credentials for a mission critical system. However as of March 2011 they have prioritised (over the next 2-3 months) transitioning to regular subscribers rather than the use of the buildd_secret. This bug is deferred until they complete that transition : check with them at the end of May 2011 to confirm they are no longer using the buildd secret.

See original description

Related branches

~cjwatson/launchpad:merge-db-stable
Colin Watson (community): Approve
Diff: 15 lines (+9/-0)
1 file modified
database/schema/patch-2210-32-0.sql (+9/-0)
~cjwatson/launchpad:remove-buildd-secret
Cristian Gonzalez (community): Approve
Diff: 493 lines (+39/-146)
19 files modified
lib/lp/archivepublisher/tests/test_config.py (+0/-1)
lib/lp/archiveuploader/tests/test_ppauploadprocessor.py (+0/-2)
lib/lp/buildmaster/tests/test_packagebuild.py (+0/-1)
lib/lp/registry/browser/tests/test_person.py (+0/-1)
lib/lp/registry/model/distributionsourcepackage.py (+1/-1)
lib/lp/registry/vocabularies.py (+1/-1)
lib/lp/soyuz/browser/tests/archive-views.txt (+9/-9)
lib/lp/soyuz/browser/tests/test_archive_admin_view.py (+1/-3)
lib/lp/soyuz/configure.zcml (+1/-1)
lib/lp/soyuz/doc/archive.txt (+0/-4)
lib/lp/soyuz/interfaces/archive.py (+0/-5)
lib/lp/soyuz/model/archive.py (+8/-27)
lib/lp/soyuz/scripts/expire_archive_files.py (+1/-1)
lib/lp/soyuz/tests/test_archive.py (+0/-50)
lib/lp/soyuz/tests/test_archive_privacy.py (+0/-10)
lib/lp/soyuz/tests/test_binarypackagebuildbehaviour.py (+1/-1)
lib/lp/soyuz/xmlrpc/archive.py (+16/-17)
lib/lp/soyuz/xmlrpc/tests/test_archive.py (+0/-10)
lib/lp/testing/factory.py (+0/-1)
~cjwatson/launchpad:db-remove-buildd-secret
William Grant (community): Approve (db)
Cristian Gonzalez (community): Approve
Diff: 15 lines (+9/-0)
1 file modified
database/schema/patch-2210-32-0.sql (+9/-0)
~cjwatson/launchpad:filemap-issue-macaroons
Thiago F. Pappacena (community): Approve
Diff: 191 lines (+42/-16)
4 files modified
lib/lp/buildmaster/interfaces/buildfarmjobbehaviour.py (+3/-2)
lib/lp/buildmaster/model/buildfarmjobbehaviour.py (+3/-2)
lib/lp/soyuz/model/binarypackagebuildbehaviour.py (+7/-3)
lib/lp/soyuz/tests/test_binarypackagebuildbehaviour.py (+29/-9)
~cjwatson/launchpad:issue-private-archive-macaroons
Ioana Lasc (community): Approve
Diff: 402 lines (+147/-24)
10 files modified
lib/lp/buildmaster/interfaces/buildfarmjobbehaviour.py (+9/-0)
lib/lp/buildmaster/model/buildfarmjobbehaviour.py (+4/-0)
lib/lp/oci/model/ocirecipebuildbehaviour.py (+9/-5)
lib/lp/snappy/model/snapbuildbehaviour.py (+8/-4)
lib/lp/snappy/tests/test_snapbuildbehaviour.py (+55/-0)
lib/lp/soyuz/adapters/archivedependencies.py (+11/-8)
lib/lp/soyuz/model/binarypackagebuildbehaviour.py (+10/-0)
lib/lp/soyuz/model/livefsbuildbehaviour.py (+9/-0)
lib/lp/soyuz/tests/test_archive.py (+29/-7)
system-packages.txt (+3/-0)
~cjwatson/launchpad:verify-archive-macaroons
Thiago F. Pappacena (community): Approve
Diff: 140 lines (+83/-1)
2 files modified
lib/lp/soyuz/xmlrpc/archive.py (+36/-1)
lib/lp/soyuz/xmlrpc/tests/test_archive.py (+47/-0)
~cjwatson/launchpad:livefsbuild-macaroons
Thiago F. Pappacena (community): Approve
Diff: 394 lines (+251/-4)
5 files modified
lib/lp/services/authserver/interfaces.py (+3/-3)
lib/lp/services/authserver/xmlrpc.py (+5/-1)
lib/lp/soyuz/configure.zcml (+8/-0)
lib/lp/soyuz/model/livefsbuild.py (+81/-0)
lib/lp/soyuz/tests/test_livefsbuild.py (+154/-0)
~cjwatson/launchpad:bpb-macaroons-via-authserver
Thiago F. Pappacena (community): Approve
Diff: 122 lines (+26/-12)
4 files modified
lib/lp/services/authserver/interfaces.py (+5/-4)
lib/lp/services/authserver/xmlrpc.py (+6/-1)
lib/lp/soyuz/model/binarypackagebuild.py (+1/-0)
lib/lp/soyuz/tests/test_binarypackagebuild.py (+14/-7)
~cjwatson/launchpad:bpb-snapbuild-archive-macaroons
Thiago F. Pappacena (community): Approve
Diff: 295 lines (+142/-28)
4 files modified
lib/lp/snappy/model/snapbuild.py (+29/-10)
lib/lp/snappy/tests/test_snapbuild.py (+40/-1)
lib/lp/soyuz/model/binarypackagebuild.py (+36/-16)
lib/lp/soyuz/tests/test_binarypackagebuild.py (+37/-1)
Julian Edwards (julian-edwards)
Changed in soyuz:
status: New → Triaged
importance: Undecided → High
tags: added: p3a ppa
Cody A.W. Somerville (cody-somerville)
tags: added: oem-services
Julian Edwards (julian-edwards)
summary: - P3A subscription revocation no longer particularly effective
+ P3A subscribers can obtain the buildd_secret
Robert Collins (lifeless)
description: updated
Revision history for this message
Julian Edwards (julian-edwards) wrote : Re: [Bug 600910] Re: P3A subscribers can obtain the buildd_secret

On Friday 25 February 2011 20:19:05 Robert Collins wrote:

> + OEM Services currently use the buildd credentials for a mission critical
> + system. However as of March 2011 they have prioritised (over the next
> + 2-3 months) transitioning to regular subscribers rather than the use of
> + the buildd_secret. This bug is deferred until they complete that
> + transition : check with them at the end of May 2011 to confirm they are
> + no longer using the buildd secret.

Rob, this bug is nothing to do with that, it's about a *subscriber* getting
the buildd_secret when they should not be able to.

OEM can get it via the +admin screen and indeed that's how they do it.

This bug is a security risk for all private PPAs with subscribers.

Revision history for this message
Robert Collins (lifeless) wrote :

On Sat, Feb 26, 2011 at 10:51 AM, Julian Edwards
<email address hidden> wrote:

> Rob, this bug is nothing to do with that, it's about a *subscriber* getting
> the buildd_secret when they should not be able to.

My understanding from you and William was that the best approach in
solving the bug was to remove the thing entirely - essentially making
buildds just another subscriber to the ppa. Do we need to solve the
subscribers getting access issue before e.g. May? If not, we can just
remove the secret then and its all done.

-Rob

Revision history for this message
Julian Edwards (julian-edwards) wrote :

Even if we do that, the problem remains the same, it's just using the subscription password instead of a buildd_secret, and a malicious package can steal the credentials.

We need a way of preventing access to the sources.list on the buildd itself. I don't think that's possible as user scripts run as root.

The only other solution I can think of is to prevent people adding private PPAs as dependencies.

Revision history for this message
Robert Collins (lifeless) wrote :

What about having one-time credentials for each build? set it when dispatching, hand over the unique url, build happens, credentials are revoked.

Revision history for this message
Julian Edwards (julian-edwards) wrote :

That would be quite difficult I imagine - we'd need to have some way of altering the repository .htpasswd file from the buildd-manager. (It's currently written from a cron job running on germanium)

Revision history for this message
Robert Collins (lifeless) wrote :

On Thu, Jan 5, 2012 at 11:07 PM, Julian Edwards
<email address hidden> wrote:
> That would be quite difficult I imagine - we'd need to have some way of
> altering the repository .htpasswd file from the buildd-manager.  (It's
> currently written from a cron job running on germanium)

I was thinking something like when a build is requested, create a
one-time-token for it, which germanium lays down, and then when the
buildd-manager is done it removes it. We need to make gemanium's thing
faster (rabbit), and that should be about it.

Colin Watson (cjwatson)
Changed in launchpad:
status: Triaged → In Progress
assignee: nobody → Colin Watson (cjwatson)
Colin Watson (cjwatson)
Changed in launchpad:
status: In Progress → Fix Committed
Revision history for this message
Colin Watson (cjwatson) wrote :

Archive.buildd_secret is gone in favour of dynamic authorization and tokens that are only valid for the lifetime of a build.

Changed in launchpad:
status: Fix Committed → Fix Released
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.