← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1669610] Re: Insecure defaults for `openstack security group rule create`

 

[Expired for neutron because there has been no activity for 60 days.]

** Changed in: neutron
       Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1669610

Title:
  Insecure defaults for `openstack security group rule create`

Status in neutron:
  Expired
Status in python-openstackclient:
  Incomplete

Bug description:
  It's really easy to open up access to anyone by mistake. If you supply
  no options when creating a new rule, it defaults to allowing access to
  all ports to any remote host.

  I'm not sure what the right fix is, but I would expect that sort of
  permissive access to be a bit harder to create.

  
  # allow anyone to access any tcp port - so simple!
  $ openstack security group rule create default 
  +-------------------+--------------------------------------+
  | Field             | Value                                |
  +-------------------+--------------------------------------+
  | created_at        | None                                 |
  | description       | None                                 |
  | direction         | ingress                              |
  | ether_type        | IPv4                                 |
  | id                | 7d481fad-9b57-4e71-9d63-fbba895e1a6c |
  | name              | None                                 |
  | port_range_max    | None                                 |
  | port_range_min    | None                                 |
  | project_id        | c6f313e10752449ea9b70acfba353c80     |
  | protocol          | tcp                                  |
  | remote_group_id   | None                                 |
  | remote_ip_prefix  | 0.0.0.0/0                            |
  | revision_number   | None                                 |
  | security_group_id | a5fbd65f-e4da-47d3-90cb-8dfc81eccd66 |
  | updated_at        | None                                 |
  +-------------------+--------------------------------------+

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1669610/+subscriptions