add explicit egress 'owner' rule on non-bootstrapping nodes to require root access to zookeeper
Bug #966577 reported by
Jamie Strandboge
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pyjuju |
In Progress
|
High
|
Clint Byrum | ||
juju (Ubuntu) |
Triaged
|
High
|
Unassigned | ||
Precise |
Won't Fix
|
High
|
Clint Byrum |
Bug Description
This is a tracking bug for a dependency of the juju MIR (bug #912861).
In summary: The security of the ZooKeeper on node 0 is critical. Even with full ACLs this pins all of the security of the local host onto one set of credentials. Users do not need to access ZooKeeper at all. An iptables rule must be added as a line of defense against privilege escalation by requiring that only root owned processes be allowed to access ZooKeeper.
Related branches
lp:~clint-fewbar/pyjuju/add-egress-zookeeper-protection
Ready for review
for merging
into
lp:pyjuju
- Juju Engineering: Pending requested
-
Diff: 1150 lines (+496/-461)18 files modifiedjuju/lib/tests/data/test_prestart (+10/-0)
juju/lib/tests/test_upstart.py (+14/-0)
juju/lib/upstart.py (+6/-1)
juju/providers/common/cloudinit.py (+43/-0)
juju/providers/common/tests/data/cloud_init_bootstrap (+33/-52)
juju/providers/common/tests/data/cloud_init_bootstrap_zookeepers (+45/-52)
juju/providers/common/tests/data/cloud_init_branch (+34/-29)
juju/providers/common/tests/data/cloud_init_branch_trunk (+34/-29)
juju/providers/common/tests/data/cloud_init_distro (+30/-27)
juju/providers/common/tests/data/cloud_init_ppa (+30/-27)
juju/providers/common/tests/data/cloud_init_proposed (+30/-27)
juju/providers/ec2/tests/data/bootstrap_cloud_init (+33/-53)
juju/providers/ec2/tests/data/launch_cloud_init (+29/-27)
juju/providers/ec2/tests/data/launch_cloud_init_branch (+33/-29)
juju/providers/ec2/tests/data/launch_cloud_init_ppa (+29/-27)
juju/providers/orchestra/launch.py (+1/-1)
juju/providers/orchestra/tests/data/bootstrap_user_data (+33/-53)
juju/providers/orchestra/tests/data/launch_user_data (+29/-27)
Changed in juju (Ubuntu Precise): | |
importance: | Undecided → High |
Changed in juju (Ubuntu Precise): | |
milestone: | ubuntu-12.04 → ubuntu-12.04.1 |
Changed in juju (Ubuntu): | |
milestone: | ubuntu-12.04 → none |
Changed in juju: | |
status: | New → Triaged |
importance: | Undecided → High |
milestone: | none → honolulu |
Changed in juju (Ubuntu Precise): | |
milestone: | ubuntu-12.04.1 → precise-updates |
Changed in juju: | |
status: | Triaged → In Progress |
assignee: | nobody → Clint Byrum (clint-fewbar) |
tags: |
added: security removed: rls-p-tracking |
Changed in juju (Ubuntu Precise): | |
assignee: | nobody → Clint Byrum (clint-fewbar) |
milestone: | precise-updates → 0.7 |
status: | Triaged → In Progress |
description: | updated |
Changed in juju (Ubuntu Precise): | |
milestone: | 0.7 → none |
status: | In Progress → Triaged |
Changed in juju: | |
milestone: | 0.6 → 0.7 |
Changed in juju: | |
milestone: | 0.7 → 0.8 |
To post a comment you must log in.
Note that the suggested fix will be less important once bug #821074 is fixed.