© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
I reviewed targetcli-fb 1:2.1.51-0ubuntu1 as checked into focal. This
shouldn't be considered a full audit but rather a quick gauge of
maintainability.
targetcli-fb is a python package for configuring and managing the LIO
(Linux IO) generic SCSI target.
- CVE History:
- None
- Build-Depends
- No security sensitive build-depends:
- debhelper, dh-python, python3-all, python3-
python3-gi, python3-rtslib-fb, python3-setuptools, python3-six
- pre/post inst/rm scripts
- only auto-generated ones from dh_python3/
- No init scripts
- 1 systemd unit for the targetclid daemon
- No dbus services
- No setuid binaries
- binaries in PATH
- /usr/bin/targetcli
- /usr/bin/targetclid
- No sudo fragments
- No polkit files
- No udev rules
- No autopkgtests or unit tests
- This makes it very difficult for the security team to ensure any
possible security updates do not introduce regressions
- No cron jobs
- Build logs:
- No significant errors / warnings
- No processes spawned
- Memory management is python
- File IO
- /var/run/
connect to it and there is no authentication done on the user who is
interacting with targetclid via this socket - as such an unprivileged
user can connect to it and send commands to targetclid which will
execute them with no privilege checks. This is likely a security
vulnerability. The permissions on this socket path should be explicitly
set so that this is only writable by owner/group and not others,
ie. 660 rather than the current 666. Since this is generally created by
systemd, adding SocketMode=0660 to the targetclid.socket systemd unit
should be sufficient. This has been reported upstream at
https:/
- targetclid uses the hardcoded file-path /tmp/data.txt for handling
interaction with clients - this is a potential security vulnerability
since if a client creates a symlink at /tmp/data.txt to some root owned
file, targetclid would write it's own data to that target file - I
notice this has already been fixed upstream via
https:/
https:/
and so this should be patched to avoid any possible security issue as a
result
- Also uses hard-coded path to /var/run/
- Uses the config file ~/.targetcli
- saveconfig commands allows to specify any resulting filename so can be
used to overwrite arbitrary files on the system - as such there should
probably be stricter checks on the target filename OR that targetcli
can only ever be run as a regular user (the current location of the )
- restoreconfig command will read from any specified config file without
checking ownership etc so again any client to targetclid should be
considered trusted
- Logging
- Is via ConfigShell (from python-
- Environment variable usage
- targetclid uses TARGETCLI_HOME to override path of ~/.targetcli and
LISTEN_PID to support systemd-based socket activation - since the
targetcli client first tries to create the lock file when launched, and
this is only writable by root hence targetcli must be run as root
anyway so this can't really be abused
- No use of privileged functions
- No use of cryptography / random number sources etc
- Use of temp files
- See above comment about /tmp/data.txt - this should be resolved before
being promoted to main
- No use of networking
- No use of WebKit
- No use of PolicyKit
- No significant cppcheck results
- Unknown if any significant Coverity results (waiting on Coverity license
renewal)
- No significant shellcheck results
- No significant bandit results
As mentioned above, SocketMode should likely be specified in the systemd
socket unit (waiting on upstream to respond to the bug report). Also the
targetcli client checks whether it is running as root and if not
potentially disables some commands - this is not sufficient to stop
targetclid running privileged commands on behalf of a client - instead,
targetclid should check the rights of a client via `SCM_CREDENTIALS` so
that it cannot be tricked into performing operations on behalf of an
unprivileged user - reported upstream as
https:/
Security team NACK for promoting targetcli-fb to main for now due to these
two potential security issues. If at least the socket permissions can be
fixed this should mitigate the impact of the second issue (permission check
in the client) - however, ideally the daemon would be stricter on checking
permissions of clients as well and in that case I would be a bit happier to
ACK this.