yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #33736
[Bug 1414530] Re: cwd might be set incorrectly when exceptions are thrown
Fixed in:
https://review.openstack.org/#/c/155847/
** Changed in: oslo.concurrency
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1414530
Title:
cwd might be set incorrectly when exceptions are thrown
Status in OpenStack Compute (Nova):
Fix Released
Status in Oslo Concurrency Library:
Fix Released
Bug description:
CWD might be set incorrectly when exceptions are thrown
The call to utils.execute ends up in /opt/stack/nova/nova/utils.py which
ultimately calls processutils.execute() in the oslo_concurrency module.
If there's an error when executing the command which calls an bash script
then an exception ProcessExecutionError will be raised at #1. This means that
the code at #2 will never be reached resulting in the Exception being propagated
up to the call-stack but now one is still stuck with the wrong working
directory which can lead to problems. One should catch the Exception and make sure
that in all cases the working directory is reset to the original one.
/opt/stack/nova/nova/crypto.py
def ensure_ca_filesystem():
"""Ensure the CA filesystem exists."""
ca_dir = ca_folder()
if not os.path.exists(ca_path()):
genrootca_sh_path = os.path.abspath(
os.path.join(os.path.dirname(__file__), 'CA',
'genrootca.sh'))
start = os.getcwd()
fileutils.ensure_tree(ca_dir)
os.chdir(ca_dir)
utils.execute("sh", genrootca_sh_path) <--- #1
os.chdir(start) <--- #2
One can see in
https://github.com/openstack/oslo.concurrency/blob/master/oslo_concurrency/processutils.py
that this Exception can indeed be thrown.
Analogously there's a similar issue also in the aforementioned file in
_ensure_project_folder.
def _ensure_project_folder(project_id):
if not os.path.exists(ca_path(project_id)):
geninter_sh_path = os.path.abspath(
os.path.join(os.path.dirname(__file__), 'CA',
'geninter.sh'))
start = os.getcwd()
os.chdir(ca_folder())
utils.execute('sh', geninter_sh_path, project_id,
_project_cert_subject(project_id))
os.chdir(start)
I'm not sure whether this has a potential security vulnerability impact or not. The potential risk is definitely there but it remains to be seen whether an attacker can actually reliably trigger this and then possibly gain something else by having a different working directory. That's why I didn't tag it as a security bug.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1414530/+subscriptions
References
