I reviewed google-guest-agent 20200617.00-0ubuntu3 as checked into groovy.
This shouldn't be considered a full audit but rather a quick gauge of
maintainability.
google-guest-agent provides the google_guest_agent and
google_metadata_script_runner binaries and associated systemd services
etc. google_guest_agent runs on each boot and watches the internal google
cloud metadata API for changes and updates the machines sshd, users,
groups, sudo and PAM configuration to allow the users listed via the
metadata API to login etc. google_metadata_script_runner is design to run
on each boot and run arbitrary scripts as specified by the metadata API.
- No CVE History:
- There are only autogenerated pre/post inst/rm scripts
- No init scripts
- systemd units
- Uses separate one-shot units to start and stop the metadata script
runner
- Single simple service unit for google_guest_agent
- No dbus services
- No setuid binaries
- binaries in PATH
- rwxr-xr-x root/root 11419336 2020-08-26 03:11 ./usr/bin/google_guest_agent
- rwxr-xr-x root/root 12321672 2020-08-26 03:11
./usr/bin/google_metadata_script_runner
- No sudo fragments
- No polkit files
- No udev rules
- No autopkgtests
- Unit tests run during build
- No cron jobs
- Build logs:
- Lintian warnings:
- missing man pages for the two binaries
- neither binary is compiled as PIE
- Processes spawned
- Processes are spawned frequently for adding / removing users, modifying
the routing table, adding interface addresses and other functions -
these take input from the configuration files and so if a user could
modify the configuration file they could get root command execution
- Memory management
- This is golang so memory management is careful
- File IO
- Uses hard-coded paths for configuration files and parsing /etc/passwd
or sudoers files etc
- Logging is careful
- No environment variable usage
- No use of privileged functions
- No use of cryptography / random number sources etc
- Use of temp files
- google_metadata_script_runner uses a temporary directory to download
script files into and run them via the ioutil.TempDir() standard
library function which is safe.
- Use of networking
- Parses metadata API as json
- No use of WebKit
- No use of PolicyKit
- No significant cppcheck results
- No significant Coverity results
- False positive URL_MANIPULATION on use of etag from the metadata API
possibly tainting
future calls to the metadata API (this is the whole point of etag) plus
we trust the metadata API anyway
- Irrelevant RISKY_CRYPTO warning about windows account handling code's
use of SHA1
- No significant shellcheck results
- No significant bandit results
The nature of this package (a root daemon that is used to manage remote
login capabilities and run random scripts etc) means it is a sensitive and
privileged component - however, since it only seems to interact with the
trusted metadata service (and nothing else) via the .internal URL this
seems safe. In general the code looks reasonably defensive, however the use
of many vendored golang dependencies may make tracking of possible relevant
vulnerabilities a bit trickier.
Security team ACK for promoting google-guest-agent to main (would be good
to perhaps see some man pages added though for the two binaries).
** Tags added: security-review-done
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1891929
Title:
[MIR] google-guest-agent
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/google-guest-agent/+bug/1891929/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
