privilege escalation thru nova-rootwrap
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Incomplete
|
Undecided
|
Unassigned |
Bug Description
bash-4.1$ id
uid=162(nova) gid=162(nova) groups=
bash-4.1$ ls /usr/bin/
-rwxrwxrwx 1 root root 2674 Dec 20 08:27 /usr/bin/
After this attacker can change nova-rootwrap content and run any command with root privileges
Possible way to fix this issue is to limit paths on which chmod can be used.
(but there will be several more issues - fro example,
touch /var/lib/nova/smth
sudo nova-rootwrap chown root /var/lib/nova/smth
sudo nova-rootwrap chmod +s /var/lib/nova/smth)
Please let me know if you want me to provide patches for issues I see with nova-rootwrap
information type: | Private Security → Public |
Yes, it's a well-known issue that some filters are way too permissive for successful isolation if you use them (chown, chmod, dd come too mind). ideally we would get rid of chmod/chown/dd usage in Nova completely. In the mean time, using RegExpFilter instead of CommandFilter could help.
This is mostly the same as https:/ /bugs.launchpad .net/nova/ +bug/948520, so I suggest we just mark this one a duplicate of it.