Re: [Openstack] security blueprint related to os binaries
Err, sounds like a lot of work to make the code more fragile. If you want to be paranoid about launching the right command, do it by sanity-checking $PATH, not by hardcoding the path of all the executables you call. On Tue, May 14, 2013 at 5:56 AM, Stanislav Pugachev spugac...@griddynamics.com wrote: Hi, I've added a blueprint https://blueprints.launchpad.net/hacking/+spec/absolute-paths-of-os-binaries Please, take a look and let's discuss it if it makes sense. Thank you Stas. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] security blueprint related to os binaries
Why do you think code will become more fragile? It will be more defended. How $PATH checking will help if someone will change the binary? And it is not so much work to do here. On Tue, May 14, 2013 at 3:36 PM, Victor Lowther victor.lowt...@gmail.comwrote: Err, sounds like a lot of work to make the code more fragile. If you want to be paranoid about launching the right command, do it by sanity-checking $PATH, not by hardcoding the path of all the executables you call. On Tue, May 14, 2013 at 5:56 AM, Stanislav Pugachev spugac...@griddynamics.com wrote: Hi, I've added a blueprint https://blueprints.launchpad.net/hacking/+spec/absolute-paths-of-os-binaries Please, take a look and let's discuss it if it makes sense. Thank you Stas. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] security blueprint related to os binaries
On 14/05/13 12:02, Stanislav Pugachev wrote: Hi, I've added a blueprint https://blueprints.launchpad.net/hacking/+spec/absolute-paths-of-os-binaries Please, take a look and let's discuss it if it makes sense. Thank you Stas. Am I correct in thinking that, if the attacker is able to modify $PATH in the environment under which nova etc runs, you've already lost? I would argue this is at worst a packaging bug, assuming packagers are not explicitly defining the $PATH variable as part of the init scripts. P.S. the openstack-dev mailing list is generally where blueprint discussion happens :) Thanks, Kiall ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] security blueprint related to os binaries
I think it will become more fragile because (despite over a decade of trying to standardize these things), not all the distros put their binaries in the same places -- for example, I have seen brctl live in /sbin, /usr/sbin, and /usr/bin. It is much easier to sanity-check (or allow for customization of) $PATH in one place (hi there Oslo devs!) and rely on having a sane path everywhere else than to hardcode all the exernal binary calls and have to deal with the inevitable bugs that will arise from utilities living in different directories in different distros. Of os.execvp and friends randomly decide to stop using PATH (and only PATH) to find executables we are in much deeper trouble anyways. On Tue, May 14, 2013 at 8:04 AM, Stanislav Pugachev spugac...@griddynamics.com wrote: Why do you think code will become more fragile? It will be more defended. How $PATH checking will help if someone will change the binary? And it is not so much work to do here. On Tue, May 14, 2013 at 3:36 PM, Victor Lowther victor.lowt...@gmail.comwrote: Err, sounds like a lot of work to make the code more fragile. If you want to be paranoid about launching the right command, do it by sanity-checking $PATH, not by hardcoding the path of all the executables you call. On Tue, May 14, 2013 at 5:56 AM, Stanislav Pugachev spugac...@griddynamics.com wrote: Hi, I've added a blueprint https://blueprints.launchpad.net/hacking/+spec/absolute-paths-of-os-binaries Please, take a look and let's discuss it if it makes sense. Thank you Stas. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] security blueprint related to os binaries
Attacker can put binary in /usr/local/bin for example. on ubuntu that path located before /usr/bin. We could create some templates with absolute paths to binaries for each distro (deb-based, rhel-based) and auto-detect them. On Tue, May 14, 2013 at 3:36 PM, Victor Lowther victor.lowt...@gmail.comwrote: Err, sounds like a lot of work to make the code more fragile. If you want to be paranoid about launching the right command, do it by sanity-checking $PATH, not by hardcoding the path of all the executables you call. On Tue, May 14, 2013 at 5:56 AM, Stanislav Pugachev spugac...@griddynamics.com wrote: Hi, I've added a blueprint https://blueprints.launchpad.net/hacking/+spec/absolute-paths-of-os-binaries Please, take a look and let's discuss it if it makes sense. Thank you Stas. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] security blueprint related to os binaries
On Tue, 2013-05-14 at 18:38 +0300, Vasiliy Khomenko wrote: Attacker can put binary in /usr/local/bin for example. on ubuntu that path located before /usr/bin. If the attacker has write access to /usr/local/bin, it's already game over; I don't see what we can do to nova that can mitigate something that disastrous. -- Kevin L. Mitchell kevin.mitch...@rackspace.com ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] security blueprint related to os binaries
Agree. Hardcoding full pathnames is a bad practice in general. On 5/14/13 11:50 AM, Kevin L. Mitchell kevin.mitch...@rackspace.com wrote: On Tue, 2013-05-14 at 18:38 +0300, Vasiliy Khomenko wrote: Attacker can put binary in /usr/local/bin for example. on ubuntu that path located before /usr/bin. If the attacker has write access to /usr/local/bin, it's already game over; I don't see what we can do to nova that can mitigate something that disastrous. -- Kevin L. Mitchell kevin.mitch...@rackspace.com ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] security blueprint related to os binaries
from the security point of view its not so bad practice On Tue, May 14, 2013 at 6:57 PM, Wyllys Ingersoll wyllys.ingers...@evault.com wrote: Agree. Hardcoding full pathnames is a bad practice in general. On 5/14/13 11:50 AM, Kevin L. Mitchell kevin.mitch...@rackspace.com wrote: On Tue, 2013-05-14 at 18:38 +0300, Vasiliy Khomenko wrote: Attacker can put binary in /usr/local/bin for example. on ubuntu that path located before /usr/bin. If the attacker has write access to /usr/local/bin, it's already game over; I don't see what we can do to nova that can mitigate something that disastrous. -- Kevin L. Mitchell kevin.mitch...@rackspace.com ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] security blueprint related to os binaries
What attack does hardcoding a path to a specific executable protect against? On the downside, It makes the code far less portable, harder to maintain, and less flexible in the face of alternative directory structures and system configurations. From: Stanislav Pugachev spugac...@griddynamics.commailto:spugac...@griddynamics.com Date: Tuesday, May 14, 2013 12:20 PM To: Wyllys Ingersoll wyllys.ingers...@evault.commailto:wyllys.ingers...@evault.com Cc: Kevin L. Mitchell kevin.mitch...@rackspace.commailto:kevin.mitch...@rackspace.com, openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net Subject: Re: [Openstack] security blueprint related to os binaries from the security point of view its not so bad practice On Tue, May 14, 2013 at 6:57 PM, Wyllys Ingersoll wyllys.ingers...@evault.commailto:wyllys.ingers...@evault.com wrote: Agree. Hardcoding full pathnames is a bad practice in general. On 5/14/13 11:50 AM, Kevin L. Mitchell kevin.mitch...@rackspace.commailto:kevin.mitch...@rackspace.com wrote: On Tue, 2013-05-14 at 18:38 +0300, Vasiliy Khomenko wrote: Attacker can put binary in /usr/local/bin for example. on ubuntu that path located before /usr/bin. If the attacker has write access to /usr/local/bin, it's already game over; I don't see what we can do to nova that can mitigate something that disastrous. -- Kevin L. Mitchell kevin.mitch...@rackspace.commailto:kevin.mitch...@rackspace.com ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] security blueprint related to os binaries
If an attacker can put a binary in /usr/local/bin, they already have root and we are doomed anyways. If you are still worried about it, reorder PATH so that /usr/local/whatever comes last instead of first. On Tue, May 14, 2013 at 10:38 AM, Vasiliy Khomenko vkhome...@griddynamics.com wrote: Attacker can put binary in /usr/local/bin for example. on ubuntu that path located before /usr/bin. We could create some templates with absolute paths to binaries for each distro (deb-based, rhel-based) and auto-detect them. On Tue, May 14, 2013 at 3:36 PM, Victor Lowther victor.lowt...@gmail.comwrote: Err, sounds like a lot of work to make the code more fragile. If you want to be paranoid about launching the right command, do it by sanity-checking $PATH, not by hardcoding the path of all the executables you call. On Tue, May 14, 2013 at 5:56 AM, Stanislav Pugachev spugac...@griddynamics.com wrote: Hi, I've added a blueprint https://blueprints.launchpad.net/hacking/+spec/absolute-paths-of-os-binaries Please, take a look and let's discuss it if it makes sense. Thank you Stas. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] security blueprint related to os binaries
On Tue, May 14, 2013 at 9:25 AM, Mac Innes, Kiall ki...@hp.com wrote: On 14/05/13 12:02, Stanislav Pugachev wrote: Hi, I've added a blueprint https://blueprints.launchpad.net/hacking/+spec/absolute-paths-of-os-binaries Please, take a look and let's discuss it if it makes sense. Thank you Stas. Am I correct in thinking that, if the attacker is able to modify $PATH in the environment under which nova etc runs, you've already lost? Yep. I would argue this is at worst a packaging bug, assuming packagers are not explicitly defining the $PATH variable as part of the init scripts. That and the PATH that any user with the rights to run nova services and commands -- the general best practice is to make sure that all the entries in $PATH are absolute paths, and that nothing in $PATH is world-writable. P.S. the openstack-dev mailing list is generally where blueprint discussion happens :) Thanks, Kiall ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] security blueprint related to os binaries
Kevin L. Mitchell wrote: On Tue, 2013-05-14 at 18:38 +0300, Vasiliy Khomenko wrote: Attacker can put binary in /usr/local/bin for example. on ubuntu that path located before /usr/bin. If the attacker has write access to /usr/local/bin, it's already game over; I don't see what we can do to nova that can mitigate something that disastrous. Yes, this proposal is pretty useless. We rely on $PATH to execute code as the $service user -- someone that can modify $PATH or inject binaries in it already has enough rights to act as $service. For rootwrap calls we rely on a root-configured specific path, and still have the option to specify the complete path. To interfere with that you actually need to be root already. So this makes the code more brittle (each distro would have to patch the code to apply their specific paths), for no security gain. -- Thierry Carrez (ttx) Release Manager, OpenStack ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp