** No longer affects: rally -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1570694
Title: potentially unsafe use of shell commands Status in neutron: Invalid Status in OpenStack Security Advisory: Won't Fix Bug description: Hello, I'm reviewing neutron-vpnaas for including into Ubuntu main and had some questions. Most of my concern lies in one file: http://git.openstack.org/cgit/openstack/neutron-vpnaas/tree/rally-jobs/plugins/vpn_utils.py This file extensively calls sudo with string-constructed command lines with no parameter quoting of any kind. This allows easy shell injection problems. I can't decide if this is a security issue or not: - If this is intended to be used by the cloud 'owner' and only the owner, then it's probably fine as-is, though may suffer reliability issues. - If this is intended to allow individual tenants in the cloud to manage their own virtual machines, this _may_ be fine as-is, though may suffer reliability problems. - If this is intended to allow individual tenants in the cloud to manage cloud-owned networking machines, this package needs immediate attention from the openstack security team. Just search for 'sudo' in that file and I think the issue will be immediately obvious. Here's a few examples I collected for my notes, though they came from Ubuntu's packaging so may differ slightly: - cmd = "sudo ip netns exec {} ip a".format(namespace) interfaces = execute_cmd_over_ssh(controller, cmd, private_key) - cmd = "sudo ip netns exec {} ping -w {} -c {} {}".format( namespace, 2 * count, count, router_gw_ip) return ping(controller, cmd, private_key) - for key, ns_comp in zip(remote_key_files, ns_compute_tuples): cmd = "sudo rm -f {}".format(key) host = ns_comp[1] execute_cmd_over_ssh(host, cmd, private_key) - cmd = ("sudo ssh-keygen -f /root/.ssh/known_hosts -R" " {}".format(host)) execute_cmd_over_ssh(compute_host, cmd, private_key) Thanks To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1570694/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp