openstack team mailing list archive

Thread
Date

Re: security blueprint related to os binaries

To: "Mac Innes, Kiall" <kiall@xxxxxx>
From: Victor Lowther <victor.lowther@xxxxxxxxx>
Date: Tue, 14 May 2013 13:07:30 -0500
Cc: "openstack@xxxxxxxxxxxxxxxxxxx" <openstack@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <2CA92712C6DFEB4D8C2818165644367105E51353@G9W0341.americas.hpqcorp.net>

On Tue, May 14, 2013 at 9:25 AM, Mac Innes, Kiall <kiall@xxxxxx> wrote:

> On 14/05/13 12:02, Stanislav Pugachev wrote:
> Hi,
> I've added a blueprint
> https://blueprints.launchpad.net/hacking/+spec/absolute-paths-of-os-binaries
> Please, take a look and let's discuss it if it makes sense.
> Thank you
> Stas.
>
>
> Am I correct in thinking that, if the attacker is able to modify $PATH in
> the environment under which nova etc runs, you've already lost?
>

Yep.


> I would argue this is at worst a packaging bug, assuming packagers are not
> explicitly defining the $PATH variable as part of the init scripts.
>

That and the PATH that any user with the rights to run nova services and
commands -- the general best practice is to make sure that all the entries
in $PATH are absolute paths, and that nothing in $PATH is world-writable.


> P.S. the openstack-dev mailing list is generally where blueprint
> discussion happens :)
>
> Thanks,
> Kiall
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>

References

security blueprint related to os binaries
From: Stanislav Pugachev, 2013-05-14
Re: security blueprint related to os binaries
From: Mac Innes, Kiall, 2013-05-14