Ubuntu
juju package

add explicit egress 'owner' rule on non-bootstrapping nodes to require root access to zookeeper

  1. Precise (12.04)
  2. Bug #966577
Bug #966577 reported by Jamie Strandboge
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pyjuju
In Progress
High
Clint Byrum
pyjuju 0.8 "zephr"
juju (Ubuntu)
Triaged
High
Unassigned
Precise
Won't Fix
High
Clint Byrum

Bug Description

This is a tracking bug for a dependency of the juju MIR (bug #912861).

In summary: The security of the ZooKeeper on node 0 is critical. Even with full ACLs this pins all of the security of the local host onto one set of credentials. Users do not need to access ZooKeeper at all. An iptables rule must be added as a line of defense against privilege escalation by requiring that only root owned processes be allowed to access ZooKeeper.

See original description
Tags: security

Related branches

lp:~clint-fewbar/pyjuju/add-egress-zookeeper-protection
Ready for review for merging into lp:pyjuju
Juju Engineering: Pending requested
Diff: 1150 lines (+496/-461)
18 files modified
juju/lib/tests/data/test_prestart (+10/-0)
juju/lib/tests/test_upstart.py (+14/-0)
juju/lib/upstart.py (+6/-1)
juju/providers/common/cloudinit.py (+43/-0)
juju/providers/common/tests/data/cloud_init_bootstrap (+33/-52)
juju/providers/common/tests/data/cloud_init_bootstrap_zookeepers (+45/-52)
juju/providers/common/tests/data/cloud_init_branch (+34/-29)
juju/providers/common/tests/data/cloud_init_branch_trunk (+34/-29)
juju/providers/common/tests/data/cloud_init_distro (+30/-27)
juju/providers/common/tests/data/cloud_init_ppa (+30/-27)
juju/providers/common/tests/data/cloud_init_proposed (+30/-27)
juju/providers/ec2/tests/data/bootstrap_cloud_init (+33/-53)
juju/providers/ec2/tests/data/launch_cloud_init (+29/-27)
juju/providers/ec2/tests/data/launch_cloud_init_branch (+33/-29)
juju/providers/ec2/tests/data/launch_cloud_init_ppa (+29/-27)
juju/providers/orchestra/launch.py (+1/-1)
juju/providers/orchestra/tests/data/bootstrap_user_data (+33/-53)
juju/providers/orchestra/tests/data/launch_user_data (+29/-27)
Jamie Strandboge (jdstrand)
Changed in juju (Ubuntu Precise):
importance: Undecided → High
Clint Byrum (clint-fewbar)
Changed in juju (Ubuntu Precise):
milestone: ubuntu-12.04 → ubuntu-12.04.1
Changed in juju (Ubuntu):
milestone: ubuntu-12.04 → none
Clint Byrum (clint-fewbar)
Changed in juju:
status: New → Triaged
importance: Undecided → High
milestone: none → honolulu
James Page (james-page)
Changed in juju (Ubuntu Precise):
milestone: ubuntu-12.04.1 → precise-updates
Revision history for this message
Clint Byrum (clint-fewbar) wrote :

Note that the suggested fix will be less important once bug #821074 is fixed.

Clint Byrum (clint-fewbar)
Changed in juju:
status: Triaged → In Progress
assignee: nobody → Clint Byrum (clint-fewbar)
Clint Byrum (clint-fewbar)
tags: added: security
removed: rls-p-tracking
Clint Byrum (clint-fewbar)
Changed in juju (Ubuntu Precise):
assignee: nobody → Clint Byrum (clint-fewbar)
milestone: precise-updates → 0.7
status: Triaged → In Progress
Clint Byrum (clint-fewbar)
description: updated
Changed in juju (Ubuntu Precise):
milestone: 0.7 → none
status: In Progress → Triaged
Clint Byrum (clint-fewbar)
Changed in juju:
milestone: 0.6 → 0.7
Kapil Thangavelu (hazmat)
Changed in juju:
milestone: 0.7 → 0.8
Revision history for this message
Steve Langasek (vorlon) wrote :

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release

Changed in juju (Ubuntu Precise):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.