Ubuntu
parallax package

Bug #1653959
Comment #3

Comment 3 for bug 1653959

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2017-07-22:

I reviewed parallax version 1.0.1-3 as checked into artful; this should
not be considered a full security audit but rather a quick gauge of
maintainability.

- No CVEs in our CVE database

- Parallax provides an API for multiple ssh use: executing commands on
multiple hosts, copying files to and from multiple hosts.

- Build-Depends: debhelper, dh-python, python-all, python3-all
- Does not daemonize
- auto-generated python postinst scripts
- No initscripts
- No systemd unit files
- No dbus services
- No setuids
- No binaries in the path
- No sudo fragments
- No udev rules
- There's a file with tests but nothing run during the build; it feels
like it would be hard to test
- No cron jobs
- Clean build logs

- Subprocesses are spawned as the whole point of the package; safe array
  mechanism for parameters, manages close-on-exec for its own
  filedescriptors
- Files are written to as part of stdout/stderr handling, seemed safe
- Uses PARALLAX_ASKPASS_SOCKET and PARALLAX_ASKPASS_VERBOSE environment
  variables, seemed safe
- Does not itself do networking or cryptography
- No privileged portions of code
- No temporary files
- No webkit
- No js
- No policykit

Parallax seemed straight-forward enough. Like many python programs actual
error results are sometimes discarded before giving the user a generic
error message. This is annoying but not really unique to parallax.

I didn't investigate if there's any cross-machine attacks possible --
TIOCSTI for example is a way for a terminal-driven program to drive the
terminal. I would love to hear feedback from someone about this.

Here's some notes I took when reviewing parallax in the hopes that they
are useful to someone:

- read_host_file() strips each line twice, once when reading, once when
parsing

- askpass_main() misleading error text "Couldn't bind to %s:" but the
  failed call is sock.connect(address). In fact most useful information
  about errors in this function is discarded entirely rather than being
  presented to the user.

Security team ACK for promoting parallax to main.

Thanks

I reviewed parallax version 1.0.1-3 as checked into artful; this should
not be considered a full security audit but rather a quick gauge of
maintainability.

- No CVEs in our CVE database

- Parallax provides an API for multiple ssh use: executing commands on
  multiple hosts, copying files to and from multiple hosts.

- Build-Depends: debhelper, dh-python, python-all, python3-all
- Does not daemonize
- auto-generated python postinst scripts
- No initscripts
- No systemd unit files
- No dbus services
- No setuids
- No binaries in the path
- No sudo fragments
- No udev rules
- There's a file with tests but nothing run during the build; it feels
  like it would be hard to test
- No cron jobs
- Clean build logs

Here's some notes I took when reviewing parallax in the hopes that they
are useful to someone:

- read_host_file() strips each line twice, once when reading, once when
  parsing

Security team ACK for promoting parallax to main.

Thanks

Ubuntuparallax package

Comment 3 for bug 1653959

Ubuntu
parallax package