Comment 14 for bug 1006414
Revision history for this message
| Sebastian Krahmer (krahmer-p) wrote | #14 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
E.g. an attacker from the VM or 'outside network' could send bogus ARP packets to the swift proxy,
polluting his ARP cache so that any connect() to an internal memcache IP will end at the attacker who can then
send any response to proxie's memcache.get() and trigger the pickle.
I think it will make a lot of headache to the network admin to nail down such things.
I am not really deep into the internals of WSGI, but would it be easily possible to drop
UID to a nova-user and/or chroot to /var/run/nova once swift proxy started? Or is that a problem
with python's importings?