yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #57650
[Bug 1611171] Re: re-runs self via sudo
Reviewed: https://review.openstack.org/352866
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=87530b6e674750ab0d55b70cce4d96bf26d1f49a
Submitter: Jenkins
Branch: master
commit 87530b6e674750ab0d55b70cce4d96bf26d1f49a
Author: Markus Zoeller <mzoeller@xxxxxxxxxx>
Date: Tue Aug 9 13:55:54 2016 +0200
Don't attempt to escalate nova-manage privileges
Remove code which allowed nova-manage to attempt to escalate
privileges so that configuration files can be read by users who
normally wouldn't have access, but do have sudo access.
The privilege escalation came into nova-manage with commit e9fd01e
to solve bug 805695. That bug report didn't describe a faulty behavior
but a change request.
NOTE: This is related to change I03063d2 from Kiall Mac Innes who did
this for the "designate" project. I'm reusing the change-id from his
change to make it clear that they are related to each other.
NOTE: I removed the try-except block completely, as it doesn't make
sense to continue when we cannot read the config file (due to a wrong
path or permission errors). That's the same approach we used in the
recent "nova/cmd/policy_check" module.
https://github.com/openstack/nova/blob/master/nova/cmd/policy_check.py#L158
Co-Authored-By: Kiall Mac Innes <kiall@xxxxxxxxxxx>
Closes-Bug: 1611171
Change-Id: I03063d2af14015e6506f1b6e958f5ff219aa4a87
** Changed in: nova
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1611171
Title:
re-runs self via sudo
Status in Cinder:
Fix Released
Status in Designate:
In Progress
Status in ec2-api:
In Progress
Status in gce-api:
In Progress
Status in Manila:
In Progress
Status in masakari:
Fix Released
Status in OpenStack Compute (nova):
Fix Released
Status in OpenStack Security Advisory:
Won't Fix
Status in Rally:
In Progress
Bug description:
Hello, I'm looking through Designate source code to determine if is
appropriate to include in Ubuntu Main. This isn't a full security
audit.
This looks like trouble:
./designate/cmd/manage.py
def main():
CONF.register_cli_opt(category_opt)
try:
utils.read_config('designate', sys.argv)
logging.setup(CONF, 'designate')
except cfg.ConfigFilesNotFoundError:
cfgfile = CONF.config_file[-1] if CONF.config_file else None
if cfgfile and not os.access(cfgfile, os.R_OK):
st = os.stat(cfgfile)
print(_("Could not read %s. Re-running with sudo") % cfgfile)
try:
os.execvp('sudo', ['sudo', '-u', '#%s' % st.st_uid] + sys.argv)
except Exception:
print(_('sudo failed, continuing as if nothing happened'))
print(_('Please re-run designate-manage as root.'))
sys.exit(2)
This is an interesting decision -- if the configuration file is _not_ readable by the user in question, give the executing user complete privileges of the user that owns the unreadable file.
I'm not a fan of hiding privilege escalation / modifications in
programs -- if a user had recently used sudo and thus had the
authentication token already stored for their terminal, this 'hidden'
use of sudo may be unexpected and unwelcome, especially since it
appears that argv from the first call leaks through to the sudo call.
Is this intentional OpenStack style? Or unexpected for you guys too?
(Feel free to make this public at your convenience.)
Thanks
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1611171/+subscriptions
