[Bug 1296607] Re: MIR: python-kazoo; new taskflow version needs python-kazoo from universe
Seth Arnold
1296607 at bugs.launchpad.net
Sat Oct 11 01:40:14 UTC 2014
I reviewed kazoo version 1.3.1-1ubuntu1 as checked into utopic. This
shouldn't be considered a full security audit but rather a quick gauge of
maintainability.
- Kazoo provides python bindings for zookeeper
- Build-Depends: debhelper dh-python python-all python-setuptools
python3-all python3-setuptools python-sphinx python3-sphinx
python-gevent
- Only cryptography is hashing
- Python-provided networking
- Does not itself daemonize
- Does not itself listen on network
- No pre/post inst/rm
- No initscripts
- No dbus
- No setuid
- No binaries
- No sudo fragments
- No udev rules
- There are tests but they aren't run during the build
- No cronjobs
- Clean build logs
- No subprocesses spawned
- No memory management
- No files opened
- Logging looks sane
- No environment variables
- No privileges operations
- No encryption, only weak password hashing
- Extensive networking, looked sane
- No temporary files
- No WebKit
- No JavaScript
- No PolicyKit
Here are some notes I collected while reviewing Kazoo in the hope they are
useful to someone:
- Connections to server are unencrypted and unauthenticated, passwords
given in the clear
- Connection logging includes passwords
- ACL credentials are weakly salted (username only) uniterated SHA1; these
should be considered as roughly equivalent to plaintext.
Kazoo (and likely Zookeeper) should not be used over the public Internet.
Private data should probably not be stored in Zookeeper in the first
place. All protocols and configurations were designed for use in trusted
datacenters -- think of it like telnet.
I suspect everyone using Zookeeper already knows that it has no privacy or
authenticity controls and is using it in trusted data centers, private
cloud environments, or with VPN solutions that can provide privacy and
authentication.
I skipped reading sw/virtualenv.py, it had a lot of crazy things, but it
is probably not unique to this package.
Security team ACK for promoting Kazoo to main.
Thanks
** Changed in: kazoo (Ubuntu)
Assignee: Seth Arnold (seth-arnold) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to kazoo in Ubuntu.
https://bugs.launchpad.net/bugs/1296607
Title:
MIR: python-kazoo; new taskflow version needs python-kazoo from
universe
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/kazoo/+bug/1296607/+subscriptions
More information about the Ubuntu-server-bugs
mailing list