Ubuntu

a some what odd configuration in cobbler.wsgi

Reported by David on 2011-09-25
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Cobbler
New
Unknown
cobbler (Ubuntu)
High
Unassigned

Bug Description

I find it rather odd that in /usr/share/cobbler/web/ cobbler.wsgi
the following is set -->
os.environ['PYTHON_EGG_CACHE'] = '/tmp'

which probably isn't a good idea, however I am not exactly sure on the impact of it (at this point). It seems that the PYTHON_EGG_CACHE is the location where any eggs that cobbler might use would be unpacked. As cobblerd runs as root, if a local user (I haven't verified this, it just seems easier to fix this bug...) it might be possible for them to place their own python modules (which would be read as they are from the 'cache') and gain root privileges.

Note: I installed cobbler as a result of installing ubuntu-orchestra. (cobbler version: 2.1.0+git20110602-0ubuntu25).

David (d--) on 2011-09-28
visibility: private → public
Changed in cobbler (Ubuntu):
importance: Undecided → High
Changed in cobbler (Ubuntu):
status: New → Triaged
Clint Byrum (clint-fewbar) wrote :

http://code.google.com/p/modwsgi/wiki/ApplicationIssues

"Note that you should refrain from ever using directories or files which have been made writable to anyone as this could compromise security. Also be aware that if hosting multiple applications under the same web server, they will all run as the same user and so it will be possible for each to both see and modify each others files. If this is an issue, you should host the applications on different web servers running as different users or on different systems. Alternatively, any data required or updated by the application should be hosted in a database with separate accounts for each application."

This file comes from upstream, so I forwarded the bug there as well.

Changed in cobbler:
status: Unknown → New
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cobbler - 2.2.2-0ubuntu1

---------------
cobbler (2.2.2-0ubuntu1) precise; urgency=low

  [Chuck Short]
  * New upstream release:
    + Use dh_python2 everywhere.
    + Folded debian/patches/49_ubuntu_add_arm_arch_support.patch
      and debian/patches/56_ubuntu_arm_generate_pxe_files.patch
      into one patch for easier upstreaming.
    + Dropped debian/patches/50_fix_cobbler_timezone.patch:
      Fix upstream.
    + Dropped debian/patches/47_ubuntu_add_oneiric_codename.patch
      in favor of debian/patches/47_ubuntu_add_codenames.patch:
      It adds "precise" and drops unsupported releases as well.
    + Dropped debian/patches/41_update_tree_path_with_arch.patch:
      No longer needed.
    + Dropped debian/patches/55_ubuntu_branding.patch: Will be moved
      to orchestra

   [Clint Byrum]
   * debian/cobbler.postinst: create users.digest mode 0600 so it
     is not world readable. (LP: #858860)
   * debian/control: cobbler needs to depend on python-cobbler
     (LP: #863738)
   * debian/patches/58_fix_egg_cache.patch: Do not point dangerous
     PYTHON_EGG_CACHE at world writable directory. (LP: #858875)
   * debian/cobbler-common.install: remove users.digest as it is
     not required and contains a known password that would leave
     cobblerd vulnerable if started before configuration is done
   * debian/cobbler-web.postinst: fix perms on webui_sessions to
     be more secure (LP: #863755)

   [Robie Basak]
   * Backport safe YAML load from upstream. (LP: #858883)
 -- Chuck Short <email address hidden> Tue, 15 Nov 2011 12:35:40 -0500

Changed in cobbler (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.