OpenStack DBaaS (Trove)

root-enable gives access to create unnnoticed root-like users

Bug #1472655 reported by Sushil Kumar on 2015-07-08

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack DBaaS (Trove)	In Progress	High	Petr Malik	OpenStack DBaaS (Trove) ongoing

Bug Description

A security hole exists where a user can create an alternate root user, using following workflow

1. create an instance.
2. enable root
3. create another user manually after logging into database, and grant full access.
4. delete 'root'@'%' user.
5. backup the instance.
6. restore the backup to another instance, now this new instance has a root-access user without the knowledge of deployer.

Sushil Kumar (sushil-kumar2) on 2015-07-08

Changed in trove:
assignee:	nobody → Sushil Kumar (sushil-kumar2)

Sushil Kumar (sushil-kumar2) on 2015-07-08

Changed in trove:
importance:	Undecided → Critical

OpenStack Infra (hudson-openstack) on 2015-07-08

Changed in trove:
status:	New → In Progress

Sushil Kumar (sushil-kumar2) on 2015-07-08

Changed in trove:
milestone:	none → liberty-2

Revision history for this message

Amrith Kumar (amrith) wrote on 2015-07-08:

I suggest you enter a BP for this

Revision history for this message

Sushil Kumar (sushil-kumar2) wrote on 2015-07-08:

With the fix I have proposed(https://review.openstack.org/#/c/199635/), it seems to me a simple one liner.

Nikhil Manchanda (slicknik) on 2015-07-14

Changed in trove:
importance:	Critical → High

Nikhil Manchanda (slicknik) on 2015-07-26

Changed in trove:
milestone:	liberty-2 → liberty-3

Nikhil Manchanda (slicknik) on 2015-08-31

Changed in trove:
milestone:	liberty-3 → ongoing

Revision history for this message

Morgan Jones (6-morgan) wrote on 2015-12-18:

Doing a blueprint is more about the impact of the change and how many people should have the option to review the change, than it has to do with the number of lines of code changed. While I see the merit of this change, even if it is not the complete solution to the problem, I do believe a blueprint is warranted to increase the visibility of the change.

Revision history for this message

Craig Vyvial (cp16net) wrote on 2016-01-04:

I disagree with Morgan here because it is a bug in the code and not an additional feature.

Revision history for this message

Amrith Kumar (amrith) wrote on 2016-01-04:

What is the "bug" here?

You grant a person super-user access, then you can assume that the person will do things that are permissible with that superuser access.

The implication of 'root access' is that once granted, the instance is tainted. Once root access is granted to an instance, it is forever 'root enabled'.

Therefore to claim that this is a security hole is, first of all, not a meaningful assumption.

I requested a bp (in my review) and I believe that there is more to consider here than merely changing one query. That is akin to applying Johnson and Johnson's finest Band Aid on the side of the HMS Titanic.

Amrith Kumar (amrith) on 2016-04-05

Changed in trove:
milestone:	ongoing → newton-1
assignee:	Sushil Kumar (sushil-kumar2) → nobody

Amrith Kumar (amrith) on 2016-07-28

Changed in trove:
assignee:	nobody → Petr Malik (pmalik)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-12: Change abandoned on trove (master)

Change abandoned by amrith (<email address hidden>) on branch: master
Review: https://review.openstack.org/199635
Reason: per trove meeting, August 10th, this is being abandoned for inactivity. If you want to continue work on this you can restore it.

Amrith Kumar (amrith) on 2016-09-18

Changed in trove:
milestone:	newton-1 → ongoing

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.