On Tue, Jul 03, 2012, Daniel P. Berrange <berra...@redhat.com> wrote: > > It seems to me that we're just as likely to have a review slip through > > that uses /tmp insecurely as a review slipping through that uses /tmp at > > all. > > We already run a bunch of PEP8 checks across the code on every > commit. It ought to be with the realm of practicality to add a > rule that blacklists any use of mkdtemp() which does not pass > an explicit directory. Most places in Nova don't actually use > it directly, but instead call nova.utils.tempdir() which could > again be made to default to '/var/lib/nova/tmp' or equivalent.
As a recap, the security problem with /tmp is that developers make mistakes and use it incorrectly, and reviewers also make mistakes and don't always catch the developer mistakes. I don't necessarily disagree with that. I do disagree that fixing the problem is to believe that a PEP8-style check can ensure they every possible to way to use /tmp incorrectly is caught. You're effectively trying to solve the halting problem. You can probably catch most incorrect uses, but I don't want to be the person to argue that we can catch most of the problem. > > Since we can't trust developers to use /tmp securely, or avoid using > > /tmp at all, then why not use filesystem namespaces to setup a process > > specific non-shared /tmp? > > That is possible, but I simply disagree with your point that we > can't stop using /tmp. It is entirely possible to stop using it > IMHO. It's impossible to stop using /tmp: A) People will continue submitting code that uses /tmp and since reviewers make mistakes, those will make it through the review process B) It's not possible to write a program to analyzes another program to reliably ensure it doesn't use /tmp at all If that's the case, then just making sure that all uses of /tmp are safe will solve the problem. Filesystem namespaces can do that by bind mounting /tmp to somewhere not shared, and thusly safe. Not to mention that any policy that requires not using /tmp will make more work for reviewers. Being a nova-core reviewer has shown that people all to often don't read HACKING or other documentation. I don't think fighting human nature will be effective. I do think moving humans into an area where their inate nature won't hurt themselves will be much more effective. JE _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
