Replace use of chown in maintainer scripts
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
heat-dashboard (Ubuntu) |
Triaged
|
Medium
|
Unassigned |
Bug Description
From Seth's security review:
TL;dr: please see if we could replace the use of chown -R with something else.
"""
I reviewed heat-dashboard version 1.4.0-0ubuntu1 as checked into cosmic.
This shouldn't be considered a full audit but rather a quick gauge of
maintainability.
heat-dashboard is a web interface to the heat openstack orchestration
tool, which can help spin up repeatable instances of guests and networks.
- No CVEs in our database
- Huge list of build-depends, long enough I'll skip pasting it here
- pre/post inst/rm scripts mostly automatically added, but there is a
section to "compress the JS and CSS"[1] that also uses a recursive
chown. This is dangerous on many kernels.
- No init scripts
- No systemd units
- No dbus services
- No setuid
- No binaries in PATH
- No sudo fragments
- No udev rules
- There are some tests but I didn't see their results in the logs
- No cron jobs
- lintian failure in the build logs[2]
- No processes spawned
- No file IO
- Minimal logging, looked fine
- No environment use
- No privileged functions
- Random numbers are generated in Javascript for some reason; using safe
sources before falling back to unsafe sources
- OpenStack settings OPENSTACK_
configure TLS verification and trust root
- No temp files
- Extensive networking via django; a handful of inspected methods looked
properly defensive
- No WebKit
- No PolicyKit
I also found and reported a potential problem with incorrectly escaped
URLs: https:/
I can't tell if this would break anything important or not.
Security team ACK for promoting heat-dashboard to main. I'd like to see
the chown -R removed but don't know what to suggest in its place.
Thanks
[1]: Note especially the 'chown -R' command; on kernels that follow
hardlinks from one uid to another, this can allow horizon to gain
ownership of any other files on the filesystem.
if [ "$1" = "configure" ] ; then
# Compress the JS and CSS with python-compressor and python-lesscpy
python /usr/share/
python /usr/share/
if [ -f '/var/lib/
rm -f /var/lib/
fi
if [ -d /var/lib/
chown -R horizon:horizon /var/lib/
fi
fi
[2]:
E: heat-dashboard source: source-is-missing xstatic/
E: heat-dashboard source: source-is-missing heat_dashboard/
W: python-
W: python-
W: python3-
W: python3-
W: heat-dashboard-
E: heat-dashboard-
"""
Changed in heat-dashboard (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → Wishlist |
importance: | Wishlist → Medium |