[MIR] parallax, dependency of crmsh

Bug #1653959 reported by Matthias Klose on 2017-01-04
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
parallax (Ubuntu)
Undecided
Unassigned

Bug Description

[Availability]

In universe; Architecture: all.

[Rationale]

Dependency for crmsh, part of our HA stack. parallax is needed for commands like 'crm cluster health' to work.

[Security]

No security history. It looks like parallax wraps the openssh client, so I don't think it is particularly security sensitive. It might be worth asking the security team to decline a security review anyway though.

[Quality assurance]

parallax is a Python API wrapper for ssh; users don't use it directly. Both Python 2 and Python 3 modules are shipped. No debconf questions. No open bugs in Debian, Ubuntu or upstream. No sign of any non-maintenance in Debian (just few upstream releases). No relation to exotic hardware.

Packaging does arrange for some tests to run automatically on build. It misses the one test that does exist. However, that test requires an ssh-able host, and we have no mechanism to set that up currently. Nesting an lxd container inside the autopkgtest environment might be something we could do, but it'd be Ubuntu only (no lxd Debian in yet; still at ITP stage in Debian bug 768073). I'm not sure we've done this thing before, or to what extent our autopkgtest infrastructure will work for this. Please let me know if you think it's needed.

debian/watch file connects to PyPI as expected.

[UI standards]

parallax provides an API only, so N/A.

[Dependencies]

None, except for Python. It should depend on openssh-client. I filed http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854722 but don't think it's worth an Ubuntu delta over (openssh is recommended in Ubuntu's standard seed).

[Standards compliance]

Appears FHS compliant (trivial; it's a Python module built using dh-python). lintian clean except for debian-watch-may-check-gpg-signature. I don't believe there's a solution for this in PyPI at the moment, or at least upstream don't currently provide a signature.

[Maintenance]

~ubuntu-server has subscribed to this package. I think this also falls under "simple packages" from the MIR requirements.

[Background information]

ssh support used to be provided via the pssh package in crmsh before 2.2. Since 2.2, it has been provided via the python-parallax instead. The upstream change for this was https://github.com/ClusterLabs/crmsh/commit/1698e42f5408adc553000616e1804294a7f61965.

Historically, crmsh never provided any of depends, recommends, suggests against pssh nor against python-parallax. pssh has always been in universe, as is python-parallax.

According to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819545, "crm cluster health" requires ssh support. In response to this Debian added a dependency on python-parallax. I don't know when "crm cluster health" first appeared upstream, or if it has always been present, or whether Debian never worked with "crm cluster health" until that bug was resolved.

I don't think it'd be a regression upon what was already published to not depend on python-parallax, since "crm cluster health" would still have needed pssh previously (AFAICT). But we want "crm cluster health" to work, hence this MIR.

Matthias Klose (doko) on 2017-01-04
Changed in parallax (Ubuntu):
assignee: nobody → Ubuntu Server Team (ubuntu-server)
Robie Basak (racb) on 2017-02-09
description: updated
Jon Grimm (jgrimm) wrote :

+1 for server team maintenance. I've subscribed Ubuntu Server correspondingly.

Robie Basak (racb) on 2017-02-09
description: updated
Changed in parallax (Ubuntu):
status: Incomplete → New
description: updated
description: updated
Michael Terry (mterry) wrote :

Passing to security team like you said, just to verify that this actually doesn't need a pass. Better safe than sorry.

Changed in parallax (Ubuntu):
assignee: Ubuntu Server Team (ubuntu-server) → Ubuntu Security Team (ubuntu-security)
Seth Arnold (seth-arnold) wrote :

I reviewed parallax version 1.0.1-3 as checked into artful; this should
not be considered a full security audit but rather a quick gauge of
maintainability.

- No CVEs in our CVE database

- Parallax provides an API for multiple ssh use: executing commands on
  multiple hosts, copying files to and from multiple hosts.

- Build-Depends: debhelper, dh-python, python-all, python3-all
- Does not daemonize
- auto-generated python postinst scripts
- No initscripts
- No systemd unit files
- No dbus services
- No setuids
- No binaries in the path
- No sudo fragments
- No udev rules
- There's a file with tests but nothing run during the build; it feels
  like it would be hard to test
- No cron jobs
- Clean build logs

- Subprocesses are spawned as the whole point of the package; safe array
  mechanism for parameters, manages close-on-exec for its own
  filedescriptors
- Files are written to as part of stdout/stderr handling, seemed safe
- Uses PARALLAX_ASKPASS_SOCKET and PARALLAX_ASKPASS_VERBOSE environment
  variables, seemed safe
- Does not itself do networking or cryptography
- No privileged portions of code
- No temporary files
- No webkit
- No js
- No policykit

Parallax seemed straight-forward enough. Like many python programs actual
error results are sometimes discarded before giving the user a generic
error message. This is annoying but not really unique to parallax.

I didn't investigate if there's any cross-machine attacks possible --
TIOCSTI for example is a way for a terminal-driven program to drive the
terminal. I would love to hear feedback from someone about this.

Here's some notes I took when reviewing parallax in the hopes that they
are useful to someone:

- read_host_file() strips each line twice, once when reading, once when
  parsing

- askpass_main() misleading error text "Couldn't bind to %s:" but the
  failed call is sock.connect(address). In fact most useful information
  about errors in this function is discarded entirely rather than being
  presented to the user.

Security team ACK for promoting parallax to main.

Thanks

Changed in parallax (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Matthias Klose (doko) wrote :

Override component to main
parallax 1.0.1-3 in artful: universe/misc -> main
python-parallax 1.0.1-3 in artful amd64: universe/python/optional/100% -> main
python-parallax 1.0.1-3 in artful arm64: universe/python/optional/100% -> main
python-parallax 1.0.1-3 in artful armhf: universe/python/optional/100% -> main
python-parallax 1.0.1-3 in artful i386: universe/python/optional/100% -> main
python-parallax 1.0.1-3 in artful ppc64el: universe/python/optional/100% -> main
python-parallax 1.0.1-3 in artful s390x: universe/python/optional/100% -> main
python3-parallax 1.0.1-3 in artful amd64: universe/python/optional/100% -> main
python3-parallax 1.0.1-3 in artful arm64: universe/python/optional/100% -> main
python3-parallax 1.0.1-3 in artful armhf: universe/python/optional/100% -> main
python3-parallax 1.0.1-3 in artful i386: universe/python/optional/100% -> main
python3-parallax 1.0.1-3 in artful ppc64el: universe/python/optional/100% -> main
python3-parallax 1.0.1-3 in artful s390x: universe/python/optional/100% -> main
13 publications overridden.

Changed in parallax (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers