I have performed another shallow security audit of keystone. The code audit was not deep because "Keystone is very young and developing very fast." (even more so now because of the rewrite. -- http://docs.openstack.org/trunk/openstack-identity/admin/content/what-is.html. With that said, here is my review:
Package review: - Does not run as root - Has test suite in the build, but 139 out of 266 test cases fail. debian/rules has: override_dh_auto_test: bash run_tests.sh -N || true - Listens on all interfaces by default, on ports 5000/tcp and 35357/tcp (admin interface) - no sudo fragments - no DBus services - no setuid/setgid binaries - By default, does not use ssl. Since access to keystone is necessarily over the network and considering that Keystone/Nova/Glance/Quantum bits are likely on a trusted network (though they should use SSL as well), the most important bit seems to be the User to Keystone interaction, as that is where the password is passed and the token used by the other services is received. If the password or token is snooped then an attacker can do everything as that authenticated user. - The previous version of keystone had some sort of SSL capabilities, but this version doesn't support it in any documentation. Code review: - no privileged operations - process spawning seems sane - file handling seems sane - environment handling seems sane - uses sqlalchemy, which is good Requirements for main inclusion: - add to manpage the fact that this must be on a trusted network segment or provide proper SSL configuration. - fix test suite and make it fail the build ** Changed in: keystone (Ubuntu) Status: New => In Progress ** Changed in: keystone (Ubuntu) Assignee: Jamie Strandboge (jdstrand) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to keystone in Ubuntu. https://bugs.launchpad.net/bugs/881464 Title: [MIR] keystone To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/keystone/+bug/881464/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs