I reviewed gce-compute-image-packages version 20180129+dfsg1-0ubuntu3 as checked into bionic. This is not a full security audit but rather a quick gauge of maintainability.
I didn't see any CVEs in our database. - gce-compute-image-packages provides utilities and integration useful on Google's cloud hosting platform, including new account creation, centralized account management, granting blanket sudo rules, ssh keys, and a variety of other configuration tools. - Build-Depends: cmake, debhelper, dh-python, dh-systemd, libcurl4-openssl-dev, libgtest-dev, libjson-c-dev, libpam-dev, python-all, python-setuptools, python3-all, python3-setuptools, python-pytest, python3-pytest, python-mock, python-boto, python3-boto - Several daemons started via systemd, do not themselves daemonize - pre/post inst/rm scripts are automatically generated code, except for a piece that will stop services before removing them - No initscripts; systemd unit files to start: - accounts daemon - clock skew daemon - instance setup - ip forwarding daemon - network setup - shutdown scripts - startup scripts - No dbus services - No setuid - Adds several binaries to PATH: - google_accounts_daemon - google_clock_skew_daemon - google_instance_setup - google_ip_forwarding_daemon - google_metadata_script_runner - google_network_setup - optimize_local_ssd - set_multiqueue - google_authorized_keys - google_oslogin_control - No sudo fragments in the static packaging -- adds new sudo entries at runtime, however - udev rules to add some device nodes, permissions, set storage parameters - Small-ish test suite run during the build, this is a hard thing to test in isolation but hopefully this is helpful - Some subprocesses are spawned, via string-based execution tools; sometimes with only the authentication server's checks for username validity to ensure shell metachars aren't included in inputs. Ideally these would perform checks for shell metachars directly. - memory management looked careful - Files are written to -- including sudoers files -- and if the umask of the process isn't correct, it might allow a race condition for local attacks. - No environment variable use - Privileged functions looked careful, with exception of writing sudoers files - No cryptography - No privileged portions of code - No temporary files - Does not use WebKit - Does not use PolicyKit - Clean cppcheck - pam_sm_acct_mgmt() functions rely upon the correct behaviour of a remote web service to prevent local security problems with usernames that include e.g. ../../.. substrings. - pam_sm_acct_mgmt() in pam_oslogin_admin.cc creates a sudoers file before setting appropriate permissions; if C++ doesn't have a mechanism to expose open(2)'s modes, then it would be best to set the umask() to something restrictive before this open() call. - Is /lib/libnss_google-compute-engine-oslogin-1.1.4.so the right path for libraries? Security team ACK for promoting gce-compute-image-packages to main. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1763830 Title: [MIR] gce-compute-image-packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gce-compute-image-packages/+bug/1763830/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
