[Openstack] security blueprint related to os binaries
Hi, I've added a blueprint https://blueprints.launchpad.net/hacking/+spec/absolute-paths-of-os-binaries Please, take a look and let's discuss it if it makes sense. Thank you Stas. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] security blueprint related to os binaries
Why do you think code will become more fragile? It will be more defended. How $PATH checking will help if someone will change the binary? And it is not so much work to do here. On Tue, May 14, 2013 at 3:36 PM, Victor Lowther victor.lowt...@gmail.comwrote: Err, sounds like a lot of work to make the code more fragile. If you want to be paranoid about launching the right command, do it by sanity-checking $PATH, not by hardcoding the path of all the executables you call. On Tue, May 14, 2013 at 5:56 AM, Stanislav Pugachev spugac...@griddynamics.com wrote: Hi, I've added a blueprint https://blueprints.launchpad.net/hacking/+spec/absolute-paths-of-os-binaries Please, take a look and let's discuss it if it makes sense. Thank you Stas. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] security blueprint related to os binaries
from the security point of view its not so bad practice On Tue, May 14, 2013 at 6:57 PM, Wyllys Ingersoll wyllys.ingers...@evault.com wrote: Agree. Hardcoding full pathnames is a bad practice in general. On 5/14/13 11:50 AM, Kevin L. Mitchell kevin.mitch...@rackspace.com wrote: On Tue, 2013-05-14 at 18:38 +0300, Vasiliy Khomenko wrote: Attacker can put binary in /usr/local/bin for example. on ubuntu that path located before /usr/bin. If the attacker has write access to /usr/local/bin, it's already game over; I don't see what we can do to nova that can mitigate something that disastrous. -- Kevin L. Mitchell kevin.mitch...@rackspace.com ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp