[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
Chris Coulson
1854362 at bugs.launchpad.net
Tue Aug 11 10:06:02 UTC 2020
I reviewed ceph-iscsi 3.4-0ubuntu2 as checked into focal. This shouldn't
be considered a full audit but rather a quick gauge of maintainability.
ceph-iscsi is a set of tools for managing LIO gateways for Ceph. It
consists of 2 services providing REST APIs - one for obtaining gateway
node statistics and another for providing the gateway API, restoring
gateway state and keeping gateway nodes in sync. Under the hood, it uses
rtslib for configuring the gateway via the LIO interfaces, and Ceph
backstores are implemented in userspace (in tcmu). A command line tool is
provided for managing the gateway nodes, which communicates with the
gateway node's API.
- No CVE history.
- All build-depends in main except for: python3-configshell-fb,
python3-mock, python3-pytest, python3-rtslib-fb. Only
python3-configshell-fb and python3-rtslib-fb are required at runtime
(this MIR).
- Depends on python3-openssl (crypto), python3-requests (HTTP) and
python-flask (werkzeug based web framework).
- Maintainer scripts just contain some debhelper snippets from dh_python3,
dh_installinit and dh_installsystemd.
- Provides 2 services:
- rbd-target-gw:
- This is a simple flask app that provides a REST API with 2 endpoints
on port 9287 (configurable) to obtain gateway statistics.
- The /metrics endpoint just provides a formatted summary of a bunch of
properties from configfs (via rtslib).
- rbd-target-api:
- This is a flask app that provides a REST API on port 5000
(configurable) for configuring the gateways and restoring their state.
- Some of the API is used by gwcli, and some of it is considered
"internal" for the purposes of syncrhonizing configuration on gateway
nodes.
- Both services run as root.
- The APIs are publicly available by default, although this is
configurable.
- The APIs are exported using HTTP by default. They can be configured to
use HTTPS.
- Contains 2 systemd units for starting the 2 REST services as part of
multi-user.target. Both run as root, but do specify the
PrivateDevices=yes, ProtectHome=true, ProtectSystem=full,
PrivateTmp=true options.
- No D-Bus services.
- No setuid binaries.
- 3 binaries in PATH: the 2 services (rbd-target-api, rbd-target-gw) and a CLI
tool (gwcli) for managing the Ceph iSCSI gateway.
- No sudo fragments.
- No policykit.
- No udev rules.
- Some limited unit tests that test a few classes in the ceph_iscsi_config
python package. These run as part of the build and all pass. No
autopkgtests.
- No cronjobs.
- Build logs are clean - just some deprecation warnings that seem to come
from pyudev. Only lintian warnings are a couple of
binary-without-manpage warnings for the 2 services.
- Spawns subprocesses using subprocess.check_output.
- gwcli uses the default shell=False
- rbd-target-api uses shell=True, but doesn't seem to be using it with
arguments from untrusted sources.
- There is a subprocess.check_output helper in ceph_iscsi_config/utils.py
(shellcommand) that appears to be unused.
- Opens files for reading in a few places using a mixture of hard-coded
paths and paths specified in the config file
(/etc/ceph/iscsi-gateway.cfg).
- One API endpoint (/api/_targetinfo/<target_iqn>), opens a file in
configfs for reading and returns the contents using a path derived
from the received target IQN. There is a check that the IQN
corresponds to target in the gateway configuration though.
- It's not reading from untrusted files (just /etc and configfs).
- No files opened for writing.
- Plenty of logging using python's logging module. Services log to
syslog at level logging.INFO and a rotating file handler in /var/log at
a custom level (configured in /etc/ceph/iscsi-gateway.cfg) which
defaults to logging.DEBUG.
- The default log level for gwcli seems to be logging.DEBUG, and it
appears to log to ~/gwcli.log by default. I'm suspicious that it is
logging passwords in a couple of places (gwcli/client.py:Client.set_auth
and gwcli/gateway.py:Target.ui_command_auth).
- Only use of environment is by gwcli to read PATH in order to determine
if the ceph binary exists.
- No evidence of privileged operations.
- Makes use of python-cryptography using the default backend (openssl?)
for encrypting target passwords with RSA-OAEP using SHA-256 hashing
(see class CHAP in ceph_iscsi_config/client.py).
- No tempfile usage.
- Uses python-flask for providing 2 REST APIs.
- Internal exceptions are caught by flask and result in a generic 500
response without exposing debug information by default.
- All APIs that accept arguments require authentication as the gateway
API user.
- No paths are provided as arguments, although arguments are used to
derive configfs paths in some API endpoints.
- ceph_iscsi_config/target.py:GWTarget._exists tests if a configfs path
exists and derives the path from an argument that looks like it can be
provided via the /api/_targetauth/<target_iqn> endpoint. This may be
susceptible to path traversal, despite the argument being sanitized
via rtslib_fb.utils.normalize_wwn (as the regexp there won't reject
an IQN that might start with a valid name but then contain other path
components, such as "iqn.0123-12.foo.bar/../../../../../.."). However,
I don't think there's a way to actually leak information here as the
particular API endpoint always returns success and the lack of
presence of a path doesn't appear to trigger any exceptions. Still,
this could be a bit more defensive.
- No webkit.
- All gateway REST API endpoints other than /api require authentication
as the gateway API user using HTTP basic auth. The username and
password are specified in the gateway configuration file
(/etc/ceph/iscsi-gateway.cfg).
- Note that the password for the gateway API user is stored in plaintext.
Is there a reason not to salt and hash this?
- Some API endpoints also use source IP filtering on top of the basic
auth.
Security team ACK for promoting ceph-iscsi to main, although I'd like
someone to confirm or not whether gwcli is writing passwords to a logfile
and get that fixed if it is. (I don't have a setup in which I was able to
test this).
** Changed in: ceph-iscsi (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to python-rtslib-fb in Ubuntu.
https://bugs.launchpad.net/bugs/1854362
Title:
[MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb,
urwid, targetcli-fb
Status in ceph-iscsi package in Ubuntu:
Confirmed
Status in python-configshell-fb package in Ubuntu:
Fix Released
Status in python-rtslib-fb package in Ubuntu:
Fix Released
Status in targetcli-fb package in Ubuntu:
Fix Released
Status in tcmu package in Ubuntu:
In Progress
Status in urwid package in Ubuntu:
Fix Released
Bug description:
== ceph-iscsi ==
[Availability]
In universe
[Rationale]
Provides iSCSI gateway to a Ceph cluster, allowing clients which don't understand RBD to use Ceph storage.
[Security]
No security history found.
[Quality assurance]
Package runs tests during package build (submitted back to Debian).
[Dependencies]
All in main or on this MIR
[Standards compliance]
OK
[Maintenance]
ubuntu-openstack
== tcmu ==
[Availability]
In universe
[Rationale]
Dependency for ceph-iscsi
Handles the userspace side of the LIO TCM-User backstore allowing LIO
to use librbd for Ceph backed block devices.
[Security]
Some security history:
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tcmu
All in older versions.
[Quality assurance]
No tests in source package for execution during package build.
[Dependencies]
All in main or on this MIR
[Standards compliance]
OK
[Maintenance]
ubuntu-openstack
== python-configshell-fb ==
[Availability]
In universe
[Rationale]
Dependency for ceph-iscsi
[Security]
No security history
[Quality assurance]
No tests in source package for execution during package build.
[Dependencies]
All in main or on this MIR
[Standards compliance]
OK
[Maintenance]
ubuntu-openstack
== python-rtslib-fb ==
[Availability]
In universe
[Rationale]
Dependency for ceph-iscsi
[Security]
No security history
[Quality assurance]
No tests in source package for execution during package build.
[Dependencies]
All in main or on this MIR
[Standards compliance]
OK
[Maintenance]
ubuntu-openstack
== urwid ==
[Availability]
In universe
[Rationale]
Dependency for python-configshell-fb
[Security]
No security history
[Quality assurance]
Tests present and executed during package build.
[Dependencies]
All in main or on this MIR
[Standards compliance]
OK
[Maintenance]
ubuntu-openstack
== targetcli-fb ==
[Availability]
In universe
[Rationale]
- Only CLI for iSCSI target feature in Linux Kernel
- Replaces with much better performance tgt iSCSI target
- tgt is being deprecated slowly and poorly updated
- LIO fully supports SCSI 3 reservations (for clustering)
[Security]
No security history
[Quality assurance]
Tests present and executed during package build.
[Dependencies]
- python3-configshell-fb (this MIR)
- python3-gi (main)
- python3-rtslib-fb (this MIR)
- python3-six (main)
[Standards compliance]
OK
[Maintenance]
ubuntu-server
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list