Insecure defaults for `openstack security group rule create`
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| neutron |
Expired
|
Undecided
|
Unassigned | ||
| python-openstackclient |
Incomplete
|
Undecided
|
Unassigned | ||
Bug Description
It's really easy to open up access to anyone by mistake. If you supply no options when creating a new rule, it defaults to allowing access to all ports to any remote host.
I'm not sure what the right fix is, but I would expect that sort of permissive access to be a bit harder to create.
# allow anyone to access any tcp port - so simple!
$ openstack security group rule create default
+------
| Field | Value |
+------
| created_at | None |
| description | None |
| direction | ingress |
| ether_type | IPv4 |
| id | 7d481fad-
| name | None |
| port_range_max | None |
| port_range_min | None |
| project_id | c6f313e10752449
| protocol | tcp |
| remote_group_id | None |
| remote_ip_prefix | 0.0.0.0/0 |
| revision_number | None |
| security_group_id | a5fbd65f-
| updated_at | None |
+------
| Dean Troyer (dtroyer) wrote | #1 |
| Changed in python-openstackclient: | |
| status: | New → Incomplete |
| Reedip (reedip-banerjee-deactivatedaccount) wrote | #2 |
| Changed in neutron: | |
| status: | New → Incomplete |
| Launchpad Janitor (janitor) wrote | #3 |
| Changed in neutron: | |
| status: | Incomplete → Expired |
(assuming this refers to a Neutron cloud)
OSC sets no default values for security group rule create, if you do not include it on the command line we do not pass it to Neutron, so any values assumed are being set in Neutron itself.
Your example shows no ports being allowed, again from a user standpoint I would expect this rule to produce no results. If it allows all TCP traffic it is due to how Neutron handles defaults for API arguments that are not present.