yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1700501] Re: Insecure rootwrap usage

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Goutham Pacha Ravi <gouthampravi@xxxxxxxxx>
Date: Wed, 06 May 2020 15:53:50 -0000
Reply-to: Bug 1700501 <1700501@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

In Manila, we've discussed migrating off of rootwrap, to privsep - and
are yet to find an owner to complete that work. We'll hopefully do that
soon. However, I agree this bug is wide open. We'll use a different
tracker to call out the tasks to deprecate the usage of rootwrap.

** Changed in: manila
       Status: Incomplete => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1700501

Title:
  Insecure rootwrap usage

Status in Cinder:
  New
Status in OpenStack Shared File Systems Service (Manila):
  Invalid
Status in OpenStack Compute (nova):
  Incomplete
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Reported by Benjamin Deuter of SUSE:

  Some rootwrap filters are too permissive and allow privilege
  escalation from service user, as explained here:

  https://security.openstack.org/guidelines/dg_use-oslo-rootwrap-
  securely.html#incorrect

  For example this shouldn't be authorized:

  sudo nova-rootwrap /etc/nova/rootwrap.conf chmod 777 /etc/shadow

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1700501/+subscriptions