I reviewed parallax version 1.0.1-3 as checked into artful; this should
not be considered a full security audit but rather a quick gauge of
maintainability.
- No CVEs in our CVE database
- Parallax provides an API for multiple ssh use: executing commands on
multiple hosts, copying files to and from multiple hosts.
- Build-Depends: debhelper, dh-python, python-all, python3-all
- Does not daemonize
- auto-generated python postinst scripts
- No initscripts
- No systemd unit files
- No dbus services
- No setuids
- No binaries in the path
- No sudo fragments
- No udev rules
- There's a file with tests but nothing run during the build; it feels
like it would be hard to test
- No cron jobs
- Clean build logs
- Subprocesses are spawned as the whole point of the package; safe array
mechanism for parameters, manages close-on-exec for its own
filedescriptors
- Files are written to as part of stdout/stderr handling, seemed safe
- Uses PARALLAX_ASKPASS_SOCKET and PARALLAX_ASKPASS_VERBOSE environment
variables, seemed safe
- Does not itself do networking or cryptography
- No privileged portions of code
- No temporary files
- No webkit
- No js
- No policykit
Parallax seemed straight-forward enough. Like many python programs actual
error results are sometimes discarded before giving the user a generic
error message. This is annoying but not really unique to parallax.
I didn't investigate if there's any cross-machine attacks possible --
TIOCSTI for example is a way for a terminal-driven program to drive the
terminal. I would love to hear feedback from someone about this.
Here's some notes I took when reviewing parallax in the hopes that they
are useful to someone:
- read_host_file() strips each line twice, once when reading, once when
parsing
- askpass_main() misleading error text "Couldn't bind to %s:" but the
failed call is sock.connect(address). In fact most useful information
about errors in this function is discarded entirely rather than being
presented to the user.
I reviewed parallax version 1.0.1-3 as checked into artful; this should
not be considered a full security audit but rather a quick gauge of
maintainability.
- No CVEs in our CVE database
- Parallax provides an API for multiple ssh use: executing commands on
multiple hosts, copying files to and from multiple hosts.
- Build-Depends: debhelper, dh-python, python-all, python3-all
- Does not daemonize
- auto-generated python postinst scripts
- No initscripts
- No systemd unit files
- No dbus services
- No setuids
- No binaries in the path
- No sudo fragments
- No udev rules
- There's a file with tests but nothing run during the build; it feels
like it would be hard to test
- No cron jobs
- Clean build logs
- Subprocesses are spawned as the whole point of the package; safe array ASKPASS_ SOCKET and PARALLAX_ ASKPASS_ VERBOSE environment
mechanism for parameters, manages close-on-exec for its own
filedescriptors
- Files are written to as part of stdout/stderr handling, seemed safe
- Uses PARALLAX_
variables, seemed safe
- Does not itself do networking or cryptography
- No privileged portions of code
- No temporary files
- No webkit
- No js
- No policykit
Parallax seemed straight-forward enough. Like many python programs actual
error results are sometimes discarded before giving the user a generic
error message. This is annoying but not really unique to parallax.
I didn't investigate if there's any cross-machine attacks possible --
TIOCSTI for example is a way for a terminal-driven program to drive the
terminal. I would love to hear feedback from someone about this.
Here's some notes I took when reviewing parallax in the hopes that they
are useful to someone:
- read_host_file() strips each line twice, once when reading, once when
parsing
- askpass_main() misleading error text "Couldn't bind to %s:" but the address) . In fact most useful information
failed call is sock.connect(
about errors in this function is discarded entirely rather than being
presented to the user.
Security team ACK for promoting parallax to main.
Thanks