Kevin L. Mitchell wrote:
> On Tue, 2013-05-14 at 18:38 +0300, Vasiliy Khomenko wrote:
>> Attacker can put binary in /usr/local/bin for example. on ubuntu that
>> path located before /usr/bin.
>
> If the attacker has write access to /usr/local/bin, it's already game
> over; I don't see what we can
On Tue, May 14, 2013 at 9:25 AM, Mac Innes, Kiall wrote:
> On 14/05/13 12:02, Stanislav Pugachev wrote:
> Hi,
> I've added a blueprint
> https://blueprints.launchpad.net/hacking/+spec/absolute-paths-of-os-binaries
> Please, take a look and let's discuss it if it makes sense.
> Thank you
> Stas.
>
If an attacker can put a binary in /usr/local/bin, they already have root
and we are doomed anyways. If you are still worried about it, reorder PATH
so that /usr/local/whatever comes last instead of first.
On Tue, May 14, 2013 at 10:38 AM, Vasiliy Khomenko <
vkhome...@griddynamics.com> wrote:
>
:openstack@lists.launchpad.net>>
Subject: Re: [Openstack] security blueprint related to os binaries
from the security point of view its not so bad practice
On Tue, May 14, 2013 at 6:57 PM, Wyllys Ingersoll
mailto:wyllys.ingers...@evault.com>> wrote:
Agree. Hardcoding full pathnames is
from the security point of view its not so bad practice
On Tue, May 14, 2013 at 6:57 PM, Wyllys Ingersoll <
wyllys.ingers...@evault.com> wrote:
> Agree. Hardcoding full pathnames is a bad practice in general.
>
>
> On 5/14/13 11:50 AM, "Kevin L. Mitchell"
> wrote:
>
> >On Tue, 2013-05-14 at 18
Agree. Hardcoding full pathnames is a bad practice in general.
On 5/14/13 11:50 AM, "Kevin L. Mitchell"
wrote:
>On Tue, 2013-05-14 at 18:38 +0300, Vasiliy Khomenko wrote:
>> Attacker can put binary in /usr/local/bin for example. on ubuntu that
>> path located before /usr/bin.
>
>If the attacke
On Tue, 2013-05-14 at 18:38 +0300, Vasiliy Khomenko wrote:
> Attacker can put binary in /usr/local/bin for example. on ubuntu that
> path located before /usr/bin.
If the attacker has write access to /usr/local/bin, it's already game
over; I don't see what we can do to nova that can mitigate someth
Attacker can put binary in /usr/local/bin for example. on ubuntu that path
located before /usr/bin.
We could create some templates with absolute paths to binaries for each
distro (deb-based, rhel-based) and auto-detect them.
On Tue, May 14, 2013 at 3:36 PM, Victor Lowther wrote:
> Err, sounds l
I think it will become more fragile because (despite over a decade of
trying to standardize these things), not all the distros put their binaries
in the same places -- for example, I have seen brctl live in /sbin,
/usr/sbin, and /usr/bin. It is much easier to sanity-check (or allow for
customizatio
On 14/05/13 12:02, Stanislav Pugachev wrote:
Hi,
I've added a blueprint
https://blueprints.launchpad.net/hacking/+spec/absolute-paths-of-os-binaries
Please, take a look and let's discuss it if it makes sense.
Thank you
Stas.
Am I correct in thinking that, if the attacker is able to modify $PATH
Why do you think code will become more fragile? It will be more defended.
How $PATH checking will help if someone will change the binary?
And it is not so much work to do here.
On Tue, May 14, 2013 at 3:36 PM, Victor Lowther wrote:
> Err, sounds like a lot of work to make the code more fragile.
Err, sounds like a lot of work to make the code more fragile. If you want
to be paranoid about launching the right command, do it by sanity-checking
$PATH, not by hardcoding the path of all the executables you call.
On Tue, May 14, 2013 at 5:56 AM, Stanislav Pugachev <
spugac...@griddynamics.com
Hi,
I've added a blueprint
https://blueprints.launchpad.net/hacking/+spec/absolute-paths-of-os-binaries
Please, take a look and let's discuss it if it makes sense.
Thank you
Stas.
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@
13 matches
Mail list logo