[Bug 1616764] Re: [MIR] python-oslo.privsep

[Seth Arnold]

James and Corey, thanks for the feedback.


I reviewed python-oslo.privsep version 1.13.0-0ubuntu1 as checked into
yakkety; this shouldn't be considered a full security audit.

oslo.privsep tries to provide more granular tools than calling sudo from
openstack scripts, and implements an RPC mechanism using yaml across
a socket to a more privileged execution environment for finer-grained
access.

I did not discover any CVEs in our database

- Build-Depends: debhelper, dh-python, openstack-pkg-tools
- This package can spawn on-demand daemons needed for the privsep RPC
  mechanism to function; it mostly daemonizes correctly but the umask(0)
  setting feels archaic and prone to fail-open problems.
- pre/post inst/rm scripts clean up after themselves, but a lintian error
  indicates a problem with the update-alternatives tool that ought to be
  fixed
- No initscripts
- No dbus services
- No setuid executables
- python3-privsep-helper and python2-privsep-helper executables in path
- No sudo fragments, but uses sudo internally
- No udev rules
- I didn't inspect the test suite closely; 31 tests are run during the
  build, which feels on the small side, but it's something
- Mostly-clean build logs

- A subprocess is spawned via subprocess.Popen() -- while it passes a
  string, and thus lacks the correctness of an array-based execution, the
  string does appear to be constructed from configuration file contents,
  and is handled with shell=False. It may not be ideal but it's probably
  fine.
- No file IO
- Minimal logging
- Does not itself use environment variables, module imports may
- Uses setuid, setgid, setgroups, prctl to manipulate capabilities
  Uses CFFI and hard-codes capabilities numbers for some caps
- No cryptography
- Uses unix networking sockets
- There are privileged portions of code, reached via a unix domain socket
  from the 'unprivileged' side of the codebase.
- No temporary file handling
- No WebKit
- No javascript
- No policykit

While most of this project was well-developed, I have my concerns about
specific aspects of the system. It is probably still an improvement over
the status quo from before the package's introduction. It doesn't feel
quite ready yet but I understand that removing it would be complicated,
and 16.10 will only be supported for nine months, so if it's a too-large
risk, the consequences are bounded.

We may need the server team's help adapting projects in the event one or
more of the these bugs results in necessary changes to clients:

https://bugs.launchpad.net/bugs/1628348
https://bugs.launchpad.net/bugs/1628360
https://bugs.launchpad.net/oslo.privsep/+bug/1628738

Security team ACK for promoting python-oslo.privsep to main.

Thanks


** Changed in: python-oslo.privsep (Ubuntu)
     Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to python-oslo.privsep in Ubuntu.
https://bugs.launchpad.net/bugs/1616764

Title:
  [MIR] python-oslo.privsep

Status in python-oslo.privsep package in Ubuntu:
  New

Bug description:
  [Availability]
  In universe

  [Rationale]
  New dependency for OpenStack projects

  [Security]
  No security history

  [Quality assurance]
  Package builds py2 and py3 modules, unit tests run for both.

  [Dependencies]
  All in main

  [Standards compliance]
  OK

  [Maintenance]
  ubuntu-openstack

  [Background information]
  This library helps applications perform actions which require more or less privileges than they were started with in a safe, easy to code and easy to use manner. For more information on why this is generally a good idea please read over the principle of least privilege and the specification which created this library. (taken from upstream)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-oslo.privsep/+bug/1616764/+subscriptions