I reviewed zsys 0.3.3 as checked into focal. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
Unfortunately, the Ubuntu Security Team's tools are not well-developed
when it comes to auditing golang projects, complicating the audit.
zsys is a tool enhancing ZFS on linux, making it possible to
run multiple ZFS setups on the same host. It has a client/server
architecture, using grpc/protobuf over a unix domain socket to
communicate. Policykit is used to mediate access to the server
functions.
- No CVE History
- Build-Depends: golang, zfs, grub, and dbus
- No pre/post inst/rm scripts.
- There are three systemd units:
- zsys-commit: for marking zsys boot as successful
- zsysd.socket/zsysd.service: service to start/run zsysd
- No dbus services
- No setuid binaries
- binaries in PATH?
- zsysctl, zsysd
- No sudo fragments
- No udev rules
- Polkit rules:
- requires admin privs for most operations, user level stuff and
querying does not
- Has a good amount of unit tests, autopkgtests
- No cron jobs.
- No warnings/errors in buildlog
- Most processes spawned are during build time; run time uses are to run
update-grub, and via vendored dbus code (used by the polkit bits) to
start a dbus session bus. Go intentionally does not invoke system
shells to interpret commands.
- Limited File IO, appears to be safe.
- Logging is okay.
- Environment variable use is okay.
- Use of privileged functions?
- Only Use of cryptography / random number sources appears to be sha1
for use in polkit/dbus communication.
- Safe Use of temp files.
- Networking code is okay.
- zsysd uses polkit to authenticate clients communicating with the
daemon. Use looks okay.
Additionally, the gosec tool (https://github.com/securego/gosec)
was used to look for issues. It found nothing of significance for
zsys itself (a few unhandled errors). For the vendored code, the
vast majority of things it found were unsafe.* calls that ought to
be audited, and unhandled errors.
While the zsys implementation is reasonably sized, there is
unfortunately a fair amount of vendored code in the tree, including
subsets of dbus and systemd modules.
Security team ACK for promoting zsys to main.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1839271
Title:
[MIR] zsys
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/zsys/+bug/1839271/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
