[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
Alex Murray
alex.murray at canonical.com
Mon Mar 23 05:21:21 UTC 2020
- Previous message (by thread): [Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
- Next message (by thread): [Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
I reviewed targetcli-fb 1:2.1.51-0ubuntu1 as checked into focal. This
shouldn't be considered a full audit but rather a quick gauge of
maintainability.
targetcli-fb is a python package for configuring and managing the LIO
(Linux IO) generic SCSI target.
- CVE History:
- None
- Build-Depends
- No security sensitive build-depends:
- debhelper, dh-python, python3-all, python3-configshell-fb,
python3-gi, python3-rtslib-fb, python3-setuptools, python3-six
- pre/post inst/rm scripts
- only auto-generated ones from dh_python3/dh_installsystemd
- No init scripts
- 1 systemd unit for the targetclid daemon
- No dbus services
- No setuid binaries
- binaries in PATH
- /usr/bin/targetcli
- /usr/bin/targetclid
- No sudo fragments
- No polkit files
- No udev rules
- No autopkgtests or unit tests
- This makes it very difficult for the security team to ensure any
possible security updates do not introduce regressions
- No cron jobs
- Build logs:
- No significant errors / warnings
- No processes spawned
- Memory management is python
- File IO
- /var/run/targetclid.sock is world-writable (0o666) so anyone can
connect to it and there is no authentication done on the user who is
interacting with targetclid via this socket - as such an unprivileged
user can connect to it and send commands to targetclid which will
execute them with no privilege checks. This is likely a security
vulnerability. The permissions on this socket path should be explicitly
set so that this is only writable by owner/group and not others,
ie. 660 rather than the current 666. Since this is generally created by
systemd, adding SocketMode=0660 to the targetclid.socket systemd unit
should be sufficient. This has been reported upstream at
https://github.com/open-iscsi/targetcli-fb/issues/162
- targetclid uses the hardcoded file-path /tmp/data.txt for handling
interaction with clients - this is a potential security vulnerability
since if a client creates a symlink at /tmp/data.txt to some root owned
file, targetclid would write it's own data to that target file - I
notice this has already been fixed upstream via
https://github.com/open-iscsi/targetcli-fb/pull/156 /
https://github.com/open-iscsi/targetcli-fb/commit/23877ab4afbf0c2fe4092936261d92d7b7fbff11
and so this should be patched to avoid any possible security issue as a
result
- Also uses hard-coded path to /var/run/targetclid.pid
- Uses the config file ~/.targetcli
- saveconfig commands allows to specify any resulting filename so can be
used to overwrite arbitrary files on the system - as such there should
probably be stricter checks on the target filename OR that targetcli
can only ever be run as a regular user (the current location of the )
- restoreconfig command will read from any specified config file without
checking ownership etc so again any client to targetclid should be
considered trusted
- Logging
- Is via ConfigShell (from python-configshell-fb) and looks fine
- Environment variable usage
- targetclid uses TARGETCLI_HOME to override path of ~/.targetcli and
LISTEN_PID to support systemd-based socket activation - since the
targetcli client first tries to create the lock file when launched, and
this is only writable by root hence targetcli must be run as root
anyway so this can't really be abused
- No use of privileged functions
- No use of cryptography / random number sources etc
- Use of temp files
- See above comment about /tmp/data.txt - this should be resolved before
being promoted to main
- No use of networking
- No use of WebKit
- No use of PolicyKit
- No significant cppcheck results
- Unknown if any significant Coverity results (waiting on Coverity license
renewal)
- No significant shellcheck results
- No significant bandit results
As mentioned above, SocketMode should likely be specified in the systemd
socket unit (waiting on upstream to respond to the bug report). Also the
targetcli client checks whether it is running as root and if not
potentially disables some commands - this is not sufficient to stop
targetclid running privileged commands on behalf of a client - instead,
targetclid should check the rights of a client via `SCM_CREDENTIALS` so
that it cannot be tricked into performing operations on behalf of an
unprivileged user - reported upstream as
https://github.com/open-iscsi/targetcli-fb/issues/163
Security team NACK for promoting targetcli-fb to main for now due to these
two potential security issues. If at least the socket permissions can be
fixed this should mitigate the impact of the second issue (permission check
in the client) - however, ideally the daemon would be stricter on checking
permissions of clients as well and in that case I would be a bit happier to
ACK this.
** Bug watch added: github.com/open-iscsi/targetcli-fb/issues #162
https://github.com/open-iscsi/targetcli-fb/issues/162
** Bug watch added: github.com/open-iscsi/targetcli-fb/issues #163
https://github.com/open-iscsi/targetcli-fb/issues/163
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to python-rtslib-fb in Ubuntu.
https://bugs.launchpad.net/bugs/1854362
Title:
[MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb,
urwid, targetcli-fb
Status in ceph-iscsi package in Ubuntu:
Confirmed
Status in python-configshell-fb package in Ubuntu:
In Progress
Status in python-rtslib-fb package in Ubuntu:
Confirmed
Status in targetcli-fb package in Ubuntu:
Confirmed
Status in tcmu package in Ubuntu:
Confirmed
Status in urwid package in Ubuntu:
In Progress
Bug description:
== ceph-iscsi ==
[Availability]
In universe
[Rationale]
Provides iSCSI gateway to a Ceph cluster, allowing clients which don't understand RBD to use Ceph storage.
[Security]
No security history found.
[Quality assurance]
Package runs tests during package build (submitted back to Debian).
[Dependencies]
All in main or on this MIR
[Standards compliance]
OK
[Maintenance]
ubuntu-openstack
== tcmu ==
[Availability]
In universe
[Rationale]
Dependency for ceph-iscsi
Handles the userspace side of the LIO TCM-User backstore allowing LIO
to use librbd for Ceph backed block devices.
[Security]
Some security history:
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tcmu
All in older versions.
[Quality assurance]
No tests in source package for execution during package build.
[Dependencies]
All in main or on this MIR
[Standards compliance]
OK
[Maintenance]
ubuntu-openstack
== python-configshell-fb ==
[Availability]
In universe
[Rationale]
Dependency for ceph-iscsi
[Security]
No security history
[Quality assurance]
No tests in source package for execution during package build.
[Dependencies]
All in main or on this MIR
[Standards compliance]
OK
[Maintenance]
ubuntu-openstack
== python-rtslib-fb ==
[Availability]
In universe
[Rationale]
Dependency for ceph-iscsi
[Security]
No security history
[Quality assurance]
No tests in source package for execution during package build.
[Dependencies]
All in main or on this MIR
[Standards compliance]
OK
[Maintenance]
ubuntu-openstack
== urwid ==
[Availability]
In universe
[Rationale]
Dependency for python-configshell-fb
[Security]
No security history
[Quality assurance]
Tests present and executed during package build.
[Dependencies]
All in main or on this MIR
[Standards compliance]
OK
[Maintenance]
ubuntu-openstack
== targetcli-fb ==
[Availability]
In universe
[Rationale]
- Only CLI for iSCSI target feature in Linux Kernel
- Replaces with much better performance tgt iSCSI target
- tgt is being deprecated slowly and poorly updated
- LIO fully supports SCSI 3 reservations (for clustering)
[Security]
No security history
[Quality assurance]
Tests present and executed during package build.
[Dependencies]
- python3-configshell-fb (this MIR)
- python3-gi (main)
- python3-rtslib-fb (this MIR)
- python3-six (main)
[Standards compliance]
OK
[Maintenance]
ubuntu-server
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions
- Previous message (by thread): [Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
- Next message (by thread): [Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the Ubuntu-openstack-bugs
mailing list