[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Openstack-security] [Bug 1765734] Re: one can bypass filters and execute arbitrary commands on namespaces

Fix proposed to branch: master
Review: https://review.openstack.org/564555

** Changed in: oslo.rootwrap
       Status: New => In Progress

You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.

  one can bypass filters and execute arbitrary commands on namespaces

Status in oslo.rootwrap:
  In Progress
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  When this filter [0] is enabled in conjunction with IpNetnsExecFilter,
  only commands allowed explicitly through the CommandFilter should get
  to execute in the specified namespace.

  However, due to the fact that these two commands are exactly the same:

  ip netns exec $namespace echo $my_ssh_key >> /root/.ssh/authorized_keys
  ip net exec $namespace echo $my_ssh_key >> /root/.ssh/authorized_keys

  One can execute the latter without any CommandFilter for the 'echo' command.
  This is a big security issue since anyone can make changes to the filesystem and execute arbitrary commands bypassing the IpNetnsExecFilter.

  The solution is simply patching this code [1] by checking that the
  second element starts with 'net', and the third one starts with 'e'.

  [0] ip: IpFilter, ip, root
  [1] https://github.com/openstack/oslo.rootwrap/blob/0fa59b04e89ad94085780550466368e6f351a9e1/oslo_rootwrap/filters.py#L376

To manage notifications about this bug go to: