Ubuntu
ceph-iscsi package

Bug #1854362
Comment #50

Comment 50 for bug 1854362

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2020-06-09:

#50

I reviewed python-rtslib-fb 2.1.71-0ubuntu1 as checked into focal. This
shouldn't be considered a full audit but rather a quick gauge of
maintainability.

python-rtslib-fb is a programmatic interface to the Linux kernel's LIO
target. Working with Python objects causes writes to the kernel's
/sys/kernel/config/target interface.

It also provides an executable to save the live config to a file on
service shutdown, and load the config into the running kernel on service
start.

- No CVEs in our database; when I reported a low severity problem, a fix
  was committed 13 hours later.
- Build-Depends?
  - debhelper-compat (= 9),, dh-python, openstack-pkg-tools (>= 99~),
    python3-all, python3-setuptools, python3-six
- pre/post inst/rm scripts?
  - postrm script improperly removes the alternatives entry against
    policy -- it should be called from prerm instead:
    https://lintian.debian.org/tags/maintainer-script-should-not-use-update-alternatives-remove.html
  - py3compile command isn't guarded with || true; -- is this correct?
- init scripts?
  - initscript has multiple shellcheck warnings
  - race condition combined with busy-wait "sleep"
- systemd units?
  - Creates directory with ExecStart=mkdir -p rather than
    ConfigurationDirectory= directive
- No dbus config
- No setuid executables
- new binary targetctl in PATH
- No sudo fragments
- No polkit rules
- No udev rules
- Very small number of tests -- as doctests -- and I can't tell if they
  run during the build or not
- No cron jobs
- Lintian warnings and errors reported

- Spawns a subprocess to perform module loading -- the subprocess itself
  looks fine, but the module loading feels out of place. There is probably
  a better way to do this.
- File IO is used extensively; some small helper functions are written to
  make it look easy. The tool works extensively in a virtual filesystem
  meant to configure things.
- Very little logging
- No environment variable use
- While this performs privileged operations, it mostly does so via read
  and write -- and the "modprobe" Popen.
- No cryptography
- No temp files
- No networking
- No webkit
- No policykit

While reading the code I found a low-severity issue and reported it:
https://github.com/open-iscsi/rtslib-fb/issues/161
Upstream checked in a fix in 13 hours.

The systemd unit file uses an explicit mkdir call rather than using a
declarative setting.

The postrm/prerm scripts needs work.

Security team ACK for promoting python-rtslib-fb to main. I'd like the
security fix and the packaging issues fixed before this package is
promoted.

Thanks

I reviewed python-rtslib-fb 2.1.71-0ubuntu1 as checked into focal.  This 
shouldn't be considered a full audit but rather a quick gauge of
maintainability.

python-rtslib-fb is a programmatic interface to the Linux kernel's LIO 
target. Working with Python objects causes writes to the kernel's 
/sys/kernel/config/target interface.

It also provides an executable to save the live config to a file on 
service shutdown, and load the config into the running kernel on service 
start.

- No CVEs in our database; when I reported a low severity problem, a fix
  was committed 13 hours later.
- Build-Depends?
  - debhelper-compat (= 9),, dh-python, openstack-pkg-tools (>= 99~), 
    python3-all, python3-setuptools, python3-six
- pre/post inst/rm scripts?
  - postrm script improperly removes the alternatives entry against 
    policy -- it should be called from prerm instead:
    https://lintian.debian.org/tags/maintainer-script-should-not-use-update-alternatives-remove.html
  - py3compile command isn't guarded with || true; -- is this correct?
- init scripts?
  - initscript has multiple shellcheck warnings
  - race condition combined with busy-wait "sleep"
- systemd units?
  - Creates directory with ExecStart=mkdir -p rather than 
    ConfigurationDirectory= directive
- No dbus config
- No setuid executables
- new binary targetctl in PATH
- No sudo fragments
- No polkit rules
- No udev rules
- Very small number of tests -- as doctests -- and I can't tell if they 
  run during the build or not
- No cron jobs
- Lintian warnings and errors reported

- Spawns a subprocess to perform module loading -- the subprocess itself 
  looks fine, but the module loading feels out of place. There is probably
  a better way to do this.
- File IO is used extensively; some small helper functions are written to
  make it look easy. The tool works extensively in a virtual filesystem 
  meant to configure things.
- Very little logging
- No environment variable use
- While this performs privileged operations, it mostly does so via read 
  and write -- and the "modprobe" Popen.
- No cryptography
- No temp files
- No networking
- No webkit
- No policykit

While reading the code I found a low-severity issue and reported it:
https://github.com/open-iscsi/rtslib-fb/issues/161
Upstream checked in a fix in 13 hours.

The systemd unit file uses an explicit mkdir call rather than using a 
declarative setting.

The postrm/prerm scripts needs work.

Security team ACK for promoting python-rtslib-fb to main. I'd like the 
security fix and the packaging issues fixed before this package is 
promoted.

Thanks

Ubuntuceph-iscsi package

Comment 50 for bug 1854362

Ubuntu
ceph-iscsi package