openstack team mailing list archive

Thread
Date

Re: security blueprint related to os binaries

To: Stanislav Pugachev <spugachev@xxxxxxxxxxxxxxxx>
From: Wyllys Ingersoll <Wyllys.Ingersoll@xxxxxxxxxx>
Date: Tue, 14 May 2013 10:24:38 -0600
Accept-language: en-US
Acceptlanguage: en-US
Cc: "openstack@xxxxxxxxxxxxxxxxxxx" <openstack@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CALCLnm8MmntZV0C2BRaitpnyAs5yY04Qb5CDNDFou1W_NnHAxg@mail.gmail.com>
Thread-index: Ac5Qv35O9m4J1UZ6SD+RawGvqvVHOQ==
Thread-topic: [Openstack] security blueprint related to os binaries
User-agent: Microsoft-MacOutlook/14.3.2.130206

What attack does hardcoding a path to a specific executable protect against?

On the downside, It makes the code far less portable, harder to maintain, and less flexible in the face of alternative directory structures and system configurations.

From: Stanislav Pugachev <spugachev@xxxxxxxxxxxxxxxx<mailto:spugachev@xxxxxxxxxxxxxxxx>>
Date: Tuesday, May 14, 2013 12:20 PM
To: Wyllys Ingersoll <wyllys.ingersoll@xxxxxxxxxx<mailto:wyllys.ingersoll@xxxxxxxxxx>>
Cc: "Kevin L. Mitchell" <kevin.mitchell@xxxxxxxxxxxxx<mailto:kevin.mitchell@xxxxxxxxxxxxx>>, "openstack@xxxxxxxxxxxxxxxxxxx<mailto:openstack@xxxxxxxxxxxxxxxxxxx>" <openstack@xxxxxxxxxxxxxxxxxxx<mailto:openstack@xxxxxxxxxxxxxxxxxxx>>
Subject: Re: [Openstack] security blueprint related to os binaries

from the security point of view its not so bad practice

On Tue, May 14, 2013 at 6:57 PM, Wyllys Ingersoll <Wyllys.Ingersoll@xxxxxxxxxx<mailto:Wyllys.Ingersoll@xxxxxxxxxx>> wrote:
Agree.  Hardcoding full pathnames is a bad practice in general.

On 5/14/13 11:50 AM, "Kevin L. Mitchell" <kevin.mitchell@xxxxxxxxxxxxx<mailto:kevin.mitchell@xxxxxxxxxxxxx>>
wrote:

>On Tue, 2013-05-14 at 18:38 +0300, Vasiliy Khomenko wrote:
>> Attacker can put binary in /usr/local/bin for example. on ubuntu that
>> path located before /usr/bin.
>
>If the attacker has write access to /usr/local/bin, it's already game
>over; I don't see what we can do to nova that can mitigate something
>that disastrous.
>
>--
>Kevin L. Mitchell <kevin.mitchell@xxxxxxxxxxxxx<mailto:kevin.mitchell@xxxxxxxxxxxxx>>
>
>
>_______________________________________________
>Mailing list: https://launchpad.net/~openstack
>Post to     : openstack@xxxxxxxxxxxxxxxxxxx<mailto:openstack@xxxxxxxxxxxxxxxxxxx>
>Unsubscribe : https://launchpad.net/~openstack
>More help   : https://help.launchpad.net/ListHelp

_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack@xxxxxxxxxxxxxxxxxxx<mailto:openstack@xxxxxxxxxxxxxxxxxxx>
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

References

Re: security blueprint related to os binaries
From: Stanislav Pugachev, 2013-05-14