[Bug 1296607] Re: MIR: python-kazoo; new taskflow version needs python-kazoo from universe

Seth Arnold 1296607 at bugs.launchpad.net
Sat Oct 11 01:40:14 UTC 2014


I reviewed kazoo version 1.3.1-1ubuntu1 as checked into utopic. This
shouldn't be considered a full security audit but rather a quick gauge of
maintainability.

- Kazoo provides python bindings for zookeeper
- Build-Depends: debhelper dh-python python-all python-setuptools
  python3-all python3-setuptools python-sphinx python3-sphinx
  python-gevent
- Only cryptography is hashing
- Python-provided networking
- Does not itself daemonize
- Does not itself listen on network
- No pre/post inst/rm
- No initscripts
- No dbus
- No setuid
- No binaries
- No sudo fragments
- No udev rules
- There are tests but they aren't run during the build
- No cronjobs
- Clean build logs

- No subprocesses spawned
- No memory management
- No files opened
- Logging looks sane
- No environment variables
- No privileges operations
- No encryption, only weak password hashing
- Extensive networking, looked sane
- No temporary files
- No WebKit
- No JavaScript
- No PolicyKit

Here are some notes I collected while reviewing Kazoo in the hope they are
useful to someone:

- Connections to server are unencrypted and unauthenticated, passwords
  given in the clear
- Connection logging includes passwords
- ACL credentials are weakly salted (username only) uniterated SHA1; these
  should be considered as roughly equivalent to plaintext.

Kazoo (and likely Zookeeper) should not be used over the public Internet.
Private data should probably not be stored in Zookeeper in the first
place. All protocols and configurations were designed for use in trusted
datacenters -- think of it like telnet.

I suspect everyone using Zookeeper already knows that it has no privacy or
authenticity controls and is using it in trusted data centers, private
cloud environments, or with VPN solutions that can provide privacy and
authentication.

I skipped reading sw/virtualenv.py, it had a lot of crazy things, but it
is probably not unique to this package.

Security team ACK for promoting Kazoo to main.

Thanks

** Changed in: kazoo (Ubuntu)
     Assignee: Seth Arnold (seth-arnold) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to kazoo in Ubuntu.
https://bugs.launchpad.net/bugs/1296607

Title:
  MIR: python-kazoo; new taskflow version needs python-kazoo from
  universe

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/kazoo/+bug/1296607/+subscriptions



More information about the Ubuntu-server-bugs mailing list