Ubuntu

add explicit egress 'owner' rule on non-bootstrapping nodes to require root access to zookeeper

Reported by Jamie Strandboge on 2012-03-27
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pyjuju
High
Clint Byrum
juju (Ubuntu)
High
Unassigned
Precise
High
Clint Byrum

Bug Description

This is a tracking bug for a dependency of the juju MIR (bug #912861).

In summary: The security of the ZooKeeper on node 0 is critical. Even with full ACLs this pins all of the security of the local host onto one set of credentials. Users do not need to access ZooKeeper at all. An iptables rule must be added as a line of defense against privilege escalation by requiring that only root owned processes be allowed to access ZooKeeper.

Changed in juju (Ubuntu Precise):
importance: Undecided → High
Changed in juju (Ubuntu Precise):
milestone: ubuntu-12.04 → ubuntu-12.04.1
Changed in juju (Ubuntu):
milestone: ubuntu-12.04 → none
Changed in juju:
status: New → Triaged
importance: Undecided → High
milestone: none → honolulu
James Page (james-page) on 2012-08-14
Changed in juju (Ubuntu Precise):
milestone: ubuntu-12.04.1 → precise-updates
Clint Byrum (clint-fewbar) wrote :

Note that the suggested fix will be less important once bug #821074 is fixed.

Changed in juju:
status: Triaged → In Progress
assignee: nobody → Clint Byrum (clint-fewbar)
tags: added: security
removed: rls-p-tracking
Changed in juju (Ubuntu Precise):
assignee: nobody → Clint Byrum (clint-fewbar)
milestone: precise-updates → 0.7
status: Triaged → In Progress
description: updated
Changed in juju (Ubuntu Precise):
milestone: 0.7 → none
status: In Progress → Triaged
Changed in juju:
milestone: 0.6 → 0.7
Changed in juju:
milestone: 0.7 → 0.8
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers