| 2016-09-28 02:56:06 |
Seth Arnold |
bug |
|
|
added bug |
| 2016-09-29 23:37:16 |
Seth Arnold |
bug |
|
|
added subscriber OpenStack Vulnerability Management team |
| 2016-09-30 00:26:11 |
Tristan Cacqueray |
bug task added |
|
ossa |
|
| 2016-09-30 00:26:26 |
Tristan Cacqueray |
ossa: status |
New |
Incomplete |
|
| 2016-09-30 00:26:50 |
Tristan Cacqueray |
bug |
|
|
added subscriber Oslo Core security contacts |
| 2016-09-30 00:27:15 |
Tristan Cacqueray |
description |
Hello, I'm conducting a super-quick review of oslo.privsep as part of the
Ubuntu Main Inclusion process.
I noticed a few odd things with some of the privilege dropping code that
may or may not represent bugs:
def _drop_privs(self):
try:
# Keep current capabilities across setuid away from root.
capabilities.set_keepcaps(True)
if self.group is not None:
try:
os.setgroups([])
except OSError:
msg = _('Failed to remove supplemental groups')
LOG.critical(msg)
raise FailedToDropPrivileges(msg)
if self.user is not None:
setuid(self.user)
if self.group is not None:
setgid(self.group)
finally:
capabilities.set_keepcaps(False)
First, if the transition is to a non-root user, the only setgid()
transitions that will work are to the real group ID or saved set-group-ID.
If the setgid() and setuid() lines are swapped, all group IDs will work.
Is this intentional?
Second, I don't understand why supplementary groups aren't dropped always.
The 'is not None' check doesn't make sense to me. Why not drop the
supplementary groups unconditionally?
Third, and most troubling, the setuid() and setgid() functions throw
exceptions when they fail but this function ignores all exceptions. These
calls can fail and when they do, it can have catastrophic consequences.
The error returns from the system calls must be checked. Does oslo.privsep
die properly when these functions fail?
Thanks |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
--
Hello, I'm conducting a super-quick review of oslo.privsep as part of the
Ubuntu Main Inclusion process.
I noticed a few odd things with some of the privilege dropping code that
may or may not represent bugs:
def _drop_privs(self):
try:
# Keep current capabilities across setuid away from root.
capabilities.set_keepcaps(True)
if self.group is not None:
try:
os.setgroups([])
except OSError:
msg = _('Failed to remove supplemental groups')
LOG.critical(msg)
raise FailedToDropPrivileges(msg)
if self.user is not None:
setuid(self.user)
if self.group is not None:
setgid(self.group)
finally:
capabilities.set_keepcaps(False)
First, if the transition is to a non-root user, the only setgid()
transitions that will work are to the real group ID or saved set-group-ID.
If the setgid() and setuid() lines are swapped, all group IDs will work.
Is this intentional?
Second, I don't understand why supplementary groups aren't dropped always.
The 'is not None' check doesn't make sense to me. Why not drop the
supplementary groups unconditionally?
Third, and most troubling, the setuid() and setgid() functions throw
exceptions when they fail but this function ignores all exceptions. These
calls can fail and when they do, it can have catastrophic consequences.
The error returns from the system calls must be checked. Does oslo.privsep
die properly when these functions fail?
Thanks |
|
| 2016-09-30 00:50:12 |
Joshua Harlow |
bug |
|
|
added subscriber Angus Lees |
| 2016-11-21 15:27:44 |
Tristan Cacqueray |
description |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
--
Hello, I'm conducting a super-quick review of oslo.privsep as part of the
Ubuntu Main Inclusion process.
I noticed a few odd things with some of the privilege dropping code that
may or may not represent bugs:
def _drop_privs(self):
try:
# Keep current capabilities across setuid away from root.
capabilities.set_keepcaps(True)
if self.group is not None:
try:
os.setgroups([])
except OSError:
msg = _('Failed to remove supplemental groups')
LOG.critical(msg)
raise FailedToDropPrivileges(msg)
if self.user is not None:
setuid(self.user)
if self.group is not None:
setgid(self.group)
finally:
capabilities.set_keepcaps(False)
First, if the transition is to a non-root user, the only setgid()
transitions that will work are to the real group ID or saved set-group-ID.
If the setgid() and setuid() lines are swapped, all group IDs will work.
Is this intentional?
Second, I don't understand why supplementary groups aren't dropped always.
The 'is not None' check doesn't make sense to me. Why not drop the
supplementary groups unconditionally?
Third, and most troubling, the setuid() and setgid() functions throw
exceptions when they fail but this function ignores all exceptions. These
calls can fail and when they do, it can have catastrophic consequences.
The error returns from the system calls must be checked. Does oslo.privsep
die properly when these functions fail?
Thanks |
Hello, I'm conducting a super-quick review of oslo.privsep as part of the
Ubuntu Main Inclusion process.
I noticed a few odd things with some of the privilege dropping code that
may or may not represent bugs:
def _drop_privs(self):
try:
# Keep current capabilities across setuid away from root.
capabilities.set_keepcaps(True)
if self.group is not None:
try:
os.setgroups([])
except OSError:
msg = _('Failed to remove supplemental groups')
LOG.critical(msg)
raise FailedToDropPrivileges(msg)
if self.user is not None:
setuid(self.user)
if self.group is not None:
setgid(self.group)
finally:
capabilities.set_keepcaps(False)
First, if the transition is to a non-root user, the only setgid()
transitions that will work are to the real group ID or saved set-group-ID.
If the setgid() and setuid() lines are swapped, all group IDs will work.
Is this intentional?
Second, I don't understand why supplementary groups aren't dropped always.
The 'is not None' check doesn't make sense to me. Why not drop the
supplementary groups unconditionally?
Third, and most troubling, the setuid() and setgid() functions throw
exceptions when they fail but this function ignores all exceptions. These
calls can fail and when they do, it can have catastrophic consequences.
The error returns from the system calls must be checked. Does oslo.privsep
die properly when these functions fail?
Thanks |
|
| 2016-11-21 15:27:55 |
Tristan Cacqueray |
ossa: status |
Incomplete |
Won't Fix |
|
| 2016-11-21 15:28:05 |
Tristan Cacqueray |
information type |
Private Security |
Public |
|
| 2018-04-04 20:48:23 |
Ben Nemec |
oslo.privsep: status |
New |
Confirmed |
|
| 2018-04-04 20:48:26 |
Ben Nemec |
oslo.privsep: importance |
Undecided |
Low |
|
| 2023-02-13 11:23:54 |
OpenStack Infra |
oslo.privsep: status |
Confirmed |
In Progress |
|
| 2023-02-13 11:23:56 |
Max |
attachment added |
|
https://review.opendev.org/c/openstack/oslo.privsep/+/873513 https://review.opendev.org/c/openstack/oslo.privsep/+/873513 |
|
