Fwd: agent access risks
roger peppe
roger.peppe at canonical.com
Thu Feb 6 12:31:00 UTC 2014
On 6 February 2014 09:31, Mike Sam <mikesam460 at gmail.com> wrote:
> I have a hypothetical question. Imagine somehow a hacker gets into one of
> the machines in a juju env. There are credentials on the machine used by the
> machine and unit agents to talk to the state sever. are these credentials
> good enough for the hacker to mess up the state server or access and steal
> things like cloud credentials or even get control of the environment by
> manipulating the state sever or get information about anything else in the
> relevant environment? basically, what is the worst thing that could happen
> if a hacker get into one machine of an environment?
As of recent development versions of juju, agents that aren't environment
managers talk exclusively through the API, and the set of operations they're
allowed is strictly limited to those that the machine and unit agents actually
need. We take care to exclude provider credentials when appropriate.
So if someone manages to break into a machine that doesn't host environment
manager, there shouldn't be too much scope for damage.
That depends, of course, on how much power is vested in the relations
with the units on the compromised machine - it's quite possible that
a particular relation attribute might allow compromise of another service
and a potential escalation of privileges.
Severe caveat to the above though: AFAIK no-one has spent much time
seriously trying to compromise a Juju environment, and as with any
system, there may be security holes that we have not considered.
cheers,
rog.
More information about the Juju-dev
mailing list