[Bug 1823979] [NEW] Replace use of chown in maintainer scripts

Mathieu Trudel-Lapierre mathieu.tl at gmail.com
Tue Apr 9 14:51:26 UTC 2019 

Public bug reported:

>From Seth's security review:

TL;dr: please see if we could replace the use of chown -R with something
else.

"""
I reviewed heat-dashboard version 1.4.0-0ubuntu1 as checked into cosmic.
This shouldn't be considered a full audit but rather a quick gauge of
maintainability.

heat-dashboard is a web interface to the heat openstack orchestration
tool, which can help spin up repeatable instances of guests and networks.

- No CVEs in our database
- Huge list of build-depends, long enough I'll skip pasting it here
- pre/post inst/rm scripts mostly automatically added, but there is a
  section to "compress the JS and CSS"[1] that also uses a recursive
  chown. This is dangerous on many kernels.
- No init scripts
- No systemd units
- No dbus services
- No setuid
- No binaries in PATH
- No sudo fragments
- No udev rules
- There are some tests but I didn't see their results in the logs
- No cron jobs
- lintian failure in the build logs[2]

- No processes spawned
- No file IO
- Minimal logging, looked fine
- No environment use
- No privileged functions
- Random numbers are generated in Javascript for some reason; using safe
  sources before falling back to unsafe sources
- OpenStack settings OPENSTACK_SSL_NO_VERIFY and OPENSTACK_SSL_CACERT can
  configure TLS verification and trust root
- No temp files
- Extensive networking via django; a handful of inspected methods looked
  properly defensive
- No WebKit
- No PolicyKit

I also found and reported a potential problem with incorrectly escaped
URLs: https://storyboard.openstack.org/#!/story/2004454
I can't tell if this would break anything important or not.

Security team ACK for promoting heat-dashboard to main. I'd like to see
the chown -R removed but don't know what to suggest in its place.

Thanks

[1]: Note especially the 'chown -R' command; on kernels that follow
hardlinks from one uid to another, this can allow horizon to gain
ownership of any other files on the filesystem.

if [ "$1" = "configure" ] ; then
 # Compress the JS and CSS with python-compressor and python-lesscpy
 python /usr/share/openstack-dashboard/manage.py collectstatic --clear --noinput
 python /usr/share/openstack-dashboard/manage.py compress --force
 if [ -f '/var/lib/openstack-dashboard/secret-key/.secret_key_store' ]; then
  rm -f /var/lib/openstack-dashboard/secret-key/.secret_key_store
 fi
 if [ -d /var/lib/openstack-dashboard ]; then
  chown -R horizon:horizon /var/lib/openstack-dashboard
 fi
fi

[2]:
E: heat-dashboard source: source-is-missing xstatic/pkg/js_yaml/data/js-yaml.js line length is 846 characters (>512)
E: heat-dashboard source: source-is-missing heat_dashboard/static/dashboard/project/heat_dashboard/template_generator/js/libs/angular-material.js line length is 1539 characters (>512)
W: python-heat-dashboard: priority-extra-is-replaced-by-priority-optional
W: python-heat-dashboard: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:13
W: python3-heat-dashboard: priority-extra-is-replaced-by-priority-optional
W: python3-heat-dashboard: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:13
W: heat-dashboard-common: priority-extra-is-replaced-by-priority-optional
E: heat-dashboard-common: python-package-missing-depends-on-python
"""

** Affects: heat-dashboard (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to heat-dashboard in Ubuntu.
https://bugs.launchpad.net/bugs/1823979

Title:
  Replace use of chown in maintainer scripts

Status in heat-dashboard package in Ubuntu:
  New

Bug description:
  From Seth's security review:

  TL;dr: please see if we could replace the use of chown -R with
  something else.

  """
  I reviewed heat-dashboard version 1.4.0-0ubuntu1 as checked into cosmic.
  This shouldn't be considered a full audit but rather a quick gauge of
  maintainability.

  heat-dashboard is a web interface to the heat openstack orchestration
  tool, which can help spin up repeatable instances of guests and networks.

  - No CVEs in our database
  - Huge list of build-depends, long enough I'll skip pasting it here
  - pre/post inst/rm scripts mostly automatically added, but there is a
    section to "compress the JS and CSS"[1] that also uses a recursive
    chown. This is dangerous on many kernels.
  - No init scripts
  - No systemd units
  - No dbus services
  - No setuid
  - No binaries in PATH
  - No sudo fragments
  - No udev rules
  - There are some tests but I didn't see their results in the logs
  - No cron jobs
  - lintian failure in the build logs[2]

  - No processes spawned
  - No file IO
  - Minimal logging, looked fine
  - No environment use
  - No privileged functions
  - Random numbers are generated in Javascript for some reason; using safe
    sources before falling back to unsafe sources
  - OpenStack settings OPENSTACK_SSL_NO_VERIFY and OPENSTACK_SSL_CACERT can
    configure TLS verification and trust root
  - No temp files
  - Extensive networking via django; a handful of inspected methods looked
    properly defensive
  - No WebKit
  - No PolicyKit

  I also found and reported a potential problem with incorrectly escaped
  URLs: https://storyboard.openstack.org/#!/story/2004454
  I can't tell if this would break anything important or not.

  Security team ACK for promoting heat-dashboard to main. I'd like to see
  the chown -R removed but don't know what to suggest in its place.

  Thanks

  [1]: Note especially the 'chown -R' command; on kernels that follow
  hardlinks from one uid to another, this can allow horizon to gain
  ownership of any other files on the filesystem.

  if [ "$1" = "configure" ] ; then
   # Compress the JS and CSS with python-compressor and python-lesscpy
   python /usr/share/openstack-dashboard/manage.py collectstatic --clear --noinput
   python /usr/share/openstack-dashboard/manage.py compress --force
   if [ -f '/var/lib/openstack-dashboard/secret-key/.secret_key_store' ]; then
    rm -f /var/lib/openstack-dashboard/secret-key/.secret_key_store
   fi
   if [ -d /var/lib/openstack-dashboard ]; then
    chown -R horizon:horizon /var/lib/openstack-dashboard
   fi
  fi

  [2]:
  E: heat-dashboard source: source-is-missing xstatic/pkg/js_yaml/data/js-yaml.js line length is 846 characters (>512)
  E: heat-dashboard source: source-is-missing heat_dashboard/static/dashboard/project/heat_dashboard/template_generator/js/libs/angular-material.js line length is 1539 characters (>512)
  W: python-heat-dashboard: priority-extra-is-replaced-by-priority-optional
  W: python-heat-dashboard: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:13
  W: python3-heat-dashboard: priority-extra-is-replaced-by-priority-optional
  W: python3-heat-dashboard: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:13
  W: heat-dashboard-common: priority-extra-is-replaced-by-priority-optional
  E: heat-dashboard-common: python-package-missing-depends-on-python
  """

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/heat-dashboard/+bug/1823979/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list