© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
67d34a1
(Get the code!)
I reviewed lxd version 0.18-0ubuntu2 as checked into wily. This should not
be considered a full security audit, indeed I reviewed significantly less
code than I would have liked due to time constraints.
This is a much larger codebase than I anticipated; it's much more than
"just" wrappers around lxc libraries. The vendorized code common to Go
programs also drastically contributes to the code size and it's quite
difficult to see which portions may be important to the lxd package.
Breaking apart the dependencies would help future reviews.
That said, I did read through the entire API spec (not the implementation,
sadly) and have only limited feedback to give. lxd appears to sidestep
many of the problems that have plagued OpenStack's Glance by not having
any tenants.
The simplicity in the end-user interface is amazing and frankly I wish
lxd would grow support for qemu/kvm as well. No existing VM management
system is anywhere near this elegant.
The one issue I found that I felt required a CVE was handled very well.
The shell scripts feel poorly-reviewed; shellcheck found many issues, the
most troubling are summarized below.
I think the project (and package) would benefit from a pruning phase; I
have the feeling that some things were simply re-implemented because it
was easy, or existing pieces reused because they already existed, but
dragged along their own dependencies. I think a week or two of looking at
the entire package sources with an eye towards removing what could be
removed would be a benefit to the project.
Go seems an odd choice for a systems programming language; much of its
design seems contrary to working directly with POSIX-defined interfaces.
There seemed to be a lot of code dedicated towards handling the boundaries
between the C world and the Go world and while it read much like other
interfaces (e.g. Python modules implemented in C, Erlang NIFs) it does
seem like there's a lot of ancillary code compared to application code.
Some more specific comments:
- loads of vendorized go code, needs to package dependencies, see
http://
- I'm scared of the code to automatically add admin users to lxd's
interface. It seems dangerous compared to "sudo adduser sarnold lxd ;
newgrp lxd".
- "lxc config set core.trust_password SECRET" -- this exposes password via
ps, top, etc; examples should use "lxc config edit core.trust_
instead
- idmapset.go ToLxcString() outputs a different format than parse() reads
- getFromMap() enforces UTF-8 encoding on username. How does this handle
invalid UTF-8 in /etc/subxid files? Do any other utilities enforce UTF-8
formatting of this file? Which other utilities may perform case folding?
Do they all perform UTF-8 case folding in this fashion?
- POST to /1.0/images conflates fingerprint with alias -- I think
fingerprint should always be included for integrity regardless of alias
presence or absence
- POST to /1.0/certificates has multiple conditionals with "friendly"
fallbacks. I think this is a mistake, I think the client should supply
the certificate and name without friendly fallbacks to using the current
connection's parameters.
- methods.go LinkUnitFiles() -- does this allow setting arbitrary services
to start?
- container.go Daemonize() feels very misnamed
- container.go WantDaemonize() feels very misnamed
- container.go WantCloseAllFds() error return ErrCloseAllFdsF
wrong, the call chain doesn't look like it actually tries to close
anything, and based on the boolean passed in may not even want to.
- container.go ConfigKeys() is confusing, could someone give it a re-read
and make sure it does what it's supposed to do? TestConfigKeys() isn't
very comprehensive.
Shell Issues:
- ./lxd-bridge/
mistake. Most variables used in commands need to be "" double-quoted to
force treating their expansion as a single token.
- goproxy/all.bash most variables used in commands need to be
double-quoted; *_test.go is unsafe with filenames starting with -;
should use ./*_test.go
- debian/
should just use printf directly; should use ./*.txt.list rather than
*.txt.list
- debian/lxd.postinst add_groups() uses variables that are never passed
in, please add a comment to explain what they are there for
Already raised with stgraber and hallyn:
- doUidshiftIntoC
the stat in the Filepath.Walk() function. A symbolic link created in
that window could cause any file on the system to have any mode of the
attacker's choice. This function cannot be used if any processes from
the uid ranges in question could be executing on the system.
The mode change needs to be done after dropping privileges to the target
user and group.
- container.go CreateSnapshot(), RestoreSnapshot(), DestroySnapshot(),
DestroyAllSna
Start(), Execute(), Stop(), Reboot(), Shutdown(), Destroy(),
DestroyWithAl
changes since c.makeSure() isn't called within a lock. Either the
c.makeSure() locking needs to be handled in each method or the test
should be removed: racy tests doubles the number of places that
have to handle errors.
We can support lxd in main conditional upon some concessions
from the lxd team:
- The security team will need help preparing security fixes for all
supported releases. This may come at the expense of feature development.
Additional headcount may be necessary to meet all business goals while
still providing acceptable support for supported releases.
- The security team will need help testing all updates for all supported
releases; this may include test cases, test frameworks, and infrastructure.
- The lxd team will discuss with the technical board the best way to keep
lxd updated across all supported releases; this may benefit from being
kept level across all releases similar to Firefox. This may mandate not
using new Go language features introduced in future releases until those
features are on our oldest supported releases.
- The lxd team will break apart the vendorized Go dependencies. Discuss
with the Juju team which shared dependencies, if any, should be split
apart first, and aim to have all external dependencies removed from the
lxd package before 16.04 beta. See the Golang MIR bug for full details:
https:/
Please confirm these conditions are acceptable.
Thanks