Reviewed: https://review.openstack.org/368319 Committed: https://git.openstack.org/cgit/openstack/masakari/commit/?id=53d9c2613d734a48b0f0b30944bfd47ef5c1b06f Submitter: Jenkins Branch: master
commit 53d9c2613d734a48b0f0b30944bfd47ef5c1b06f Author: Takashi Kajinami <kajina...@nttdata.co.jp> Date: Tue Sep 6 11:07:23 2016 +0900 Don't attempt to escalate masakari-manage privileges Remove code which allowed masakari-manage to attempt to escalate privileges so that configuration files can be read by users who normally wouldn't have access, but do have sudo access. NOTE: This change is create based on the change with change id I03063d2af14015e6506f1b6e958f5ff219aa4a87 from Kiall Mac Innes in designate project. Change-Id: Icba07a4bac4f41b921984204b32ad73fdbae4097 Co-Authored-By: Kiall Mac Innes <ki...@macinnes.ie> Closes-Bug: 1611171 ** Changed in: masakari Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1611171 Title: re-runs self via sudo Status in Cinder: New Status in Designate: In Progress Status in ec2-api: New Status in gce-api: New Status in Manila: New Status in masakari: Fix Released Status in OpenStack Compute (nova): In Progress Status in OpenStack Security Advisory: Incomplete Status in Rally: New Bug description: Hello, I'm looking through Designate source code to determine if is appropriate to include in Ubuntu Main. This isn't a full security audit. This looks like trouble: ./designate/cmd/manage.py def main(): CONF.register_cli_opt(category_opt) try: utils.read_config('designate', sys.argv) logging.setup(CONF, 'designate') except cfg.ConfigFilesNotFoundError: cfgfile = CONF.config_file[-1] if CONF.config_file else None if cfgfile and not os.access(cfgfile, os.R_OK): st = os.stat(cfgfile) print(_("Could not read %s. Re-running with sudo") % cfgfile) try: os.execvp('sudo', ['sudo', '-u', '#%s' % st.st_uid] + sys.argv) except Exception: print(_('sudo failed, continuing as if nothing happened')) print(_('Please re-run designate-manage as root.')) sys.exit(2) This is an interesting decision -- if the configuration file is _not_ readable by the user in question, give the executing user complete privileges of the user that owns the unreadable file. I'm not a fan of hiding privilege escalation / modifications in programs -- if a user had recently used sudo and thus had the authentication token already stored for their terminal, this 'hidden' use of sudo may be unexpected and unwelcome, especially since it appears that argv from the first call leaks through to the sudo call. Is this intentional OpenStack style? Or unexpected for you guys too? (Feel free to make this public at your convenience.) Thanks To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1611171/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp