Re: [Openstack] security blueprint related to os binaries

2013-05-14 Thread Thierry Carrez
Kevin L. Mitchell wrote: > On Tue, 2013-05-14 at 18:38 +0300, Vasiliy Khomenko wrote: >> Attacker can put binary in /usr/local/bin for example. on ubuntu that >> path located before /usr/bin. > > If the attacker has write access to /usr/local/bin, it's already game > over; I don't see what we can

Re: [Openstack] security blueprint related to os binaries

2013-05-14 Thread Victor Lowther
On Tue, May 14, 2013 at 9:25 AM, Mac Innes, Kiall wrote: > On 14/05/13 12:02, Stanislav Pugachev wrote: > Hi, > I've added a blueprint > https://blueprints.launchpad.net/hacking/+spec/absolute-paths-of-os-binaries > Please, take a look and let's discuss it if it makes sense. > Thank you > Stas. >

Re: [Openstack] security blueprint related to os binaries

2013-05-14 Thread Victor Lowther
If an attacker can put a binary in /usr/local/bin, they already have root and we are doomed anyways. If you are still worried about it, reorder PATH so that /usr/local/whatever comes last instead of first. On Tue, May 14, 2013 at 10:38 AM, Vasiliy Khomenko < vkhome...@griddynamics.com> wrote: >

Re: [Openstack] security blueprint related to os binaries

2013-05-14 Thread Wyllys Ingersoll
:openstack@lists.launchpad.net>> Subject: Re: [Openstack] security blueprint related to os binaries from the security point of view its not so bad practice On Tue, May 14, 2013 at 6:57 PM, Wyllys Ingersoll mailto:wyllys.ingers...@evault.com>> wrote: Agree. Hardcoding full pathnames is

Re: [Openstack] security blueprint related to os binaries

2013-05-14 Thread Stanislav Pugachev
from the security point of view its not so bad practice On Tue, May 14, 2013 at 6:57 PM, Wyllys Ingersoll < wyllys.ingers...@evault.com> wrote: > Agree. Hardcoding full pathnames is a bad practice in general. > > > On 5/14/13 11:50 AM, "Kevin L. Mitchell" > wrote: > > >On Tue, 2013-05-14 at 18

Re: [Openstack] security blueprint related to os binaries

2013-05-14 Thread Wyllys Ingersoll
Agree. Hardcoding full pathnames is a bad practice in general. On 5/14/13 11:50 AM, "Kevin L. Mitchell" wrote: >On Tue, 2013-05-14 at 18:38 +0300, Vasiliy Khomenko wrote: >> Attacker can put binary in /usr/local/bin for example. on ubuntu that >> path located before /usr/bin. > >If the attacke

Re: [Openstack] security blueprint related to os binaries

2013-05-14 Thread Kevin L. Mitchell
On Tue, 2013-05-14 at 18:38 +0300, Vasiliy Khomenko wrote: > Attacker can put binary in /usr/local/bin for example. on ubuntu that > path located before /usr/bin. If the attacker has write access to /usr/local/bin, it's already game over; I don't see what we can do to nova that can mitigate someth

Re: [Openstack] security blueprint related to os binaries

2013-05-14 Thread Vasiliy Khomenko
Attacker can put binary in /usr/local/bin for example. on ubuntu that path located before /usr/bin. We could create some templates with absolute paths to binaries for each distro (deb-based, rhel-based) and auto-detect them. On Tue, May 14, 2013 at 3:36 PM, Victor Lowther wrote: > Err, sounds l

Re: [Openstack] security blueprint related to os binaries

2013-05-14 Thread Victor Lowther
I think it will become more fragile because (despite over a decade of trying to standardize these things), not all the distros put their binaries in the same places -- for example, I have seen brctl live in /sbin, /usr/sbin, and /usr/bin. It is much easier to sanity-check (or allow for customizatio

Re: [Openstack] security blueprint related to os binaries

2013-05-14 Thread Mac Innes, Kiall
On 14/05/13 12:02, Stanislav Pugachev wrote: Hi, I've added a blueprint https://blueprints.launchpad.net/hacking/+spec/absolute-paths-of-os-binaries Please, take a look and let's discuss it if it makes sense. Thank you Stas. Am I correct in thinking that, if the attacker is able to modify $PATH

Re: [Openstack] security blueprint related to os binaries

2013-05-14 Thread Stanislav Pugachev
Why do you think code will become more fragile? It will be more defended. How $PATH checking will help if someone will change the binary? And it is not so much work to do here. On Tue, May 14, 2013 at 3:36 PM, Victor Lowther wrote: > Err, sounds like a lot of work to make the code more fragile.

Re: [Openstack] security blueprint related to os binaries

2013-05-14 Thread Victor Lowther
Err, sounds like a lot of work to make the code more fragile. If you want to be paranoid about launching the right command, do it by sanity-checking $PATH, not by hardcoding the path of all the executables you call. On Tue, May 14, 2013 at 5:56 AM, Stanislav Pugachev < spugac...@griddynamics.com

[Openstack] security blueprint related to os binaries

2013-05-14 Thread Stanislav Pugachev
Hi, I've added a blueprint https://blueprints.launchpad.net/hacking/+spec/absolute-paths-of-os-binaries Please, take a look and let's discuss it if it makes sense. Thank you Stas. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@