James and Corey, thanks for the feedback.
I reviewed python-oslo.privsep version 1.13.0-0ubuntu1 as checked into yakkety; this shouldn't be considered a full security audit. oslo.privsep tries to provide more granular tools than calling sudo from openstack scripts, and implements an RPC mechanism using yaml across a socket to a more privileged execution environment for finer-grained access. I did not discover any CVEs in our database - Build-Depends: debhelper, dh-python, openstack-pkg-tools - This package can spawn on-demand daemons needed for the privsep RPC mechanism to function; it mostly daemonizes correctly but the umask(0) setting feels archaic and prone to fail-open problems. - pre/post inst/rm scripts clean up after themselves, but a lintian error indicates a problem with the update-alternatives tool that ought to be fixed - No initscripts - No dbus services - No setuid executables - python3-privsep-helper and python2-privsep-helper executables in path - No sudo fragments, but uses sudo internally - No udev rules - I didn't inspect the test suite closely; 31 tests are run during the build, which feels on the small side, but it's something - Mostly-clean build logs - A subprocess is spawned via subprocess.Popen() -- while it passes a string, and thus lacks the correctness of an array-based execution, the string does appear to be constructed from configuration file contents, and is handled with shell=False. It may not be ideal but it's probably fine. - No file IO - Minimal logging - Does not itself use environment variables, module imports may - Uses setuid, setgid, setgroups, prctl to manipulate capabilities Uses CFFI and hard-codes capabilities numbers for some caps - No cryptography - Uses unix networking sockets - There are privileged portions of code, reached via a unix domain socket from the 'unprivileged' side of the codebase. - No temporary file handling - No WebKit - No javascript - No policykit While most of this project was well-developed, I have my concerns about specific aspects of the system. It is probably still an improvement over the status quo from before the package's introduction. It doesn't feel quite ready yet but I understand that removing it would be complicated, and 16.10 will only be supported for nine months, so if it's a too-large risk, the consequences are bounded. We may need the server team's help adapting projects in the event one or more of the these bugs results in necessary changes to clients: https://bugs.launchpad.net/bugs/1628348 https://bugs.launchpad.net/bugs/1628360 https://bugs.launchpad.net/oslo.privsep/+bug/1628738 Security team ACK for promoting python-oslo.privsep to main. Thanks ** Changed in: python-oslo.privsep (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1616764 Title: [MIR] python-oslo.privsep To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-oslo.privsep/+bug/1616764/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
