[Openstack-security] [Bug 1765734] Re: one can bypass filters and execute arbitrary commands on namespaces
Author: Daniel Alvarez <dalvarez at redhat.com>
Date: Thu Apr 26 18:33:21 2018 +0200
Make IpNetnsExecFilter more strict to detect aliases
Currently, this filter only takes into account 'ip netns exec' as
input but this command accepts different aliases like 'ip net e' or
'ip netn ex', etcetera. This is a security issue since bypassing
this filter basically allows anyone to execute arbitary commands
because IpFilter will get hit and there's not going to be any
further checks against CommandFilters.
Co-Authored-By: Jakub Libosvar <jlibosva at redhat.com>
Signed-off-by: Daniel Alvarez <dalvarez at redhat.com>
** Changed in: oslo.rootwrap
Status: In Progress => Fix Released
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
one can bypass filters and execute arbitrary commands on namespaces
Status in oslo.rootwrap:
Status in OpenStack Security Advisory:
When this filter  is enabled in conjunction with IpNetnsExecFilter,
only commands allowed explicitly through the CommandFilter should get
to execute in the specified namespace.
However, due to the fact that these two commands are exactly the same:
ip netns exec $namespace echo $my_ssh_key >> /root/.ssh/authorized_keys
ip net exec $namespace echo $my_ssh_key >> /root/.ssh/authorized_keys
One can execute the latter without any CommandFilter for the 'echo' command.
This is a big security issue since anyone can make changes to the filesystem and execute arbitrary commands bypassing the IpNetnsExecFilter.
The solution is simply patching this code  by checking that the
second element starts with 'net', and the third one starts with 'e'.
 ip: IpFilter, ip, root
To manage notifications about this bug go to: