openstack team mailing list archive

Thread
Date

Re: How do I stop image-create from using /tmp?

To: "openstack@xxxxxxxxxxxxxxxxxxx" <openstack@xxxxxxxxxxxxxxxxxxx>
From: Johannes Erdfelt <johannes@xxxxxxxxxxx>
Date: Tue, 3 Jul 2012 08:09:02 -0700
In-reply-to: <20120703085440.GA12702@redhat.com>
User-agent: Mutt/1.5.21 (2010-09-15)

On Tue, Jul 03, 2012, Daniel P. Berrange <berrange@xxxxxxxxxx> wrote:
> > It seems to me that we're just as likely to have a review slip through
> > that uses /tmp insecurely as a review slipping through that uses /tmp at
> > all.
> 
> We already run a bunch of PEP8 checks across the code on every
> commit. It ought to be with the realm of practicality to add a
> rule that blacklists any use of mkdtemp() which does not pass
> an explicit directory. Most places in Nova don't actually use
> it directly, but instead call nova.utils.tempdir() which could
> again be made to default to '/var/lib/nova/tmp' or equivalent.

As a recap, the security problem with /tmp is that developers make
mistakes and use it incorrectly, and reviewers also make mistakes and
don't always catch the developer mistakes.

I don't necessarily disagree with that.

I do disagree that fixing the problem is to believe that a PEP8-style
check can ensure they every possible to way to use /tmp incorrectly is
caught.

You're effectively trying to solve the halting problem.

You can probably catch most incorrect uses, but I don't want to be the
person to argue that we can catch most of the problem.

> > Since we can't trust developers to use /tmp securely, or avoid using
> > /tmp at all, then why not use filesystem namespaces to setup a process
> > specific non-shared /tmp?
> 
> That is possible, but I simply disagree with your point that we
> can't stop using /tmp. It is entirely possible to stop using it
> IMHO.

It's impossible to stop using /tmp:
A) People will continue submitting code that uses /tmp and since
   reviewers make mistakes, those will make it through the review
   process
B) It's not possible to write a program to analyzes another program to
   reliably ensure it doesn't use /tmp at all

If that's the case, then just making sure that all uses of /tmp are safe
will solve the problem.

Filesystem namespaces can do that by bind mounting /tmp to somewhere not
shared, and thusly safe.

Not to mention that any policy that requires not using /tmp will make
more work for reviewers. Being a nova-core reviewer has shown that people
all to often don't read HACKING or other documentation.

I don't think fighting human nature will be effective. I do think moving
humans into an area where their inate nature won't hurt themselves will
be much more effective.

JE

References

How do I stop image-create from using /tmp?
From: Lars Kellogg-Stedman, 2012-06-30
Re: How do I stop image-create from using /tmp?
From: Boris Filippov, 2012-06-30
Re: How do I stop image-create from using /tmp?
From: Lars Kellogg-Stedman, 2012-07-01
Re: How do I stop image-create from using /tmp?
From: Daniel P. Berrange, 2012-07-02
Re: How do I stop image-create from using /tmp?
From: Johannes Erdfelt, 2012-07-02
Re: How do I stop image-create from using /tmp?
From: Daniel P. Berrange, 2012-07-02
Re: How do I stop image-create from using /tmp?
From: Johannes Erdfelt, 2012-07-02
Re: How do I stop image-create from using /tmp?
From: Daniel P. Berrange, 2012-07-03