Tuesday, 2014-07-01

*** openstack has joined #openstack-security10:51
*** viraptor1 is now known as viraptor10:57
*** nkinder_ has quit IRC13:09
openstackgerritChristian Berendt proposed a change to openstack/security-doc: Fixed the syntax of the roadmap RST file  https://review.openstack.org/10388513:27
*** nkinder_ has joined #openstack-security13:55
*** paulmo has joined #openstack-security14:20
*** voodookid has joined #openstack-security14:35
*** chair6_ is now known as chair615:13
*** bdpayne has joined #openstack-security16:34
*** bdpayne has quit IRC16:50
*** bdpayne has joined #openstack-security17:16
*** tmcpeak has joined #openstack-security17:28
tmcpeakviraptor: you around?17:28
tmcpeakbdpayne: we've got some official openstack status I see17:37
*** ved_lad has joined #openstack-security17:43
*** ved_lad has quit IRC17:43
bdpaynetmcpeak in what way?17:45
tmcpeakthe openstack* bots hanging out for starters ;)17:45
bdpayneyeah, be nice to the overlords17:45
tmcpeakbdpayne: what kind of stuff are they going to publish now?17:45
bdpaynedid you see my email yesterday?17:46
tmcpeakbdpayne: to ML?17:46
paulmoEverything you type is now published on the interwebs! :)17:46
tmcpeakpaulmo: gasp17:46
bdpayneyeah, there's a log of everything17:46
tmcpeakpaulmo: guess it's time to clean up my act17:46
paulmoNotice I've been more quiet lately? haha17:46
bdpaynehopefully people are cool with this17:47
bdpayneI actually find it helpful17:47
tmcpeakbdpayne: yeah, it's good17:47
paulmoJust kidding around, we do this in Solum too17:47
tmcpeakbdpayne: where's the email?17:47
bdpayneI sent it to the openstack-security ML17:47
paulmoJune 30th at 3:57 PM CST to openstack-security ML17:47
tmcpeakbdpyane: ahh yeah, I see it17:48
tmcpeakgood stuff17:48
bdpaynewe should also start getting notifications in here17:48
bdpaynefor gerrit reviews on the security guide17:48
bdpayneand, once we move the OSSNs into that repository, for those as well17:48
tmcpeakbdpayne: awesome17:49
hyakuheiHey guys18:03
*** nkinder_ has quit IRC18:04
tmcpeakhyakuhei: what's up?18:06
tmcpeakhow it goes?18:06
hyakuheiHey not bad thanks, how's the gate test magic coming along?18:09
tmcpeakhyakuhei: haven't done much since last week, next steps are to make sure from a "hacking" perspective what I've done is clean18:12
tmcpeakthen find out about how to get it non-blocking on the gate test18:13
tmcpeakI also sent an email to viraptor about it in case he knows about any of those things18:13
tmcpeakI'd like to pick jogo's brain but he has been away this week18:13
*** ved_lad has joined #openstack-security18:19
*** nkinder_ has joined #openstack-security18:21
tmcpeakanybody know what it means to wrap long lines with parenthesis in Python?18:26
hyakuheiFeel free to CC me, I'd like to know whats going on18:28
hyakuheiAs for line wrapping in python, I think pep8 sets the rules but it's not complicated :)18:28
tmcpeakhyakuhei: ok cool, I'll send it to you18:28
tmcpeakI could prob. just use a shorter variable name :)18:29
*** nkinder_ has quit IRC18:43
*** nkinder_ has joined #openstack-security18:55
paulmotmcpeak: Yeah, don't use \ at the end to continue lines, () instead18:55
tmcpeakpaulmo: how does that work?18:56
tmcpeak(bla bla bla bla18:56
tmcpeakbla bla bla)  ?18:57
bdpayneindent the second line so that the chars aline... the ( should have a space under it)18:59
bdpayneand keep your lines to <= 79 chars18:59
bdpaynethat's about it18:59
tmcpeakbdpayne: ok cool18:59
paulmoBasically, sorry, in and out a lot :)19:00
tmcpeakpaulmo: all good ;)19:00
tmcpeakI'm having a strange little problem with my hacking check19:00
tmcpeakthe code is this:19:00
tmcpeakdef sec_shell_eq_true(logical_line):19:01
tmcpeak    # ignore spaces in the line, to find shell = True, shell =True, etc19:01
tmcpeak    line_no_sp = logical_line.replace(' ', '')19:01
tmcpeak    if 'shell=True' in line_no_sp and 'subprocess' in line_no_sp:19:01
tmcpeak        yield(0, "Security risk: use of shell=True in subprocess call.")19:01
tmcpeakand it outputs this19:01
tmcpeak./glance/tests/utils.py:281:5: Secu ity risk: use of shell=True in subprocess call.19:01
tmcpeak./glance/tests/unit/test_migrations.py:176:13: Secu ity risk: use of shell=True in subprocess call.19:01
tmcpeaknotice the missing 'r' in Security risk:19:01
tmcpeakdon't know how that's possibly happening19:01
bdpaynethat's ... special19:02
tmcpeakyeah, super special19:02
openstackgerritChristian Berendt proposed a change to openstack/security-doc: Renamed bk-openstack-sec-guide.xml to bk-openstack-security-guide.xml  https://review.openstack.org/10398519:50
voodookidtmcpeak: newbie here, but is there a case to be made that perhaps we want to use python functions to do things if we can?19:52
*** ved_lad has quit IRC19:58
*** nkinder_ has quit IRC20:02
*** ved_lad has joined #openstack-security20:15
*** nkinder_ has joined #openstack-security20:45
*** ved_lad has quit IRC21:30
*** ved_lad has joined #openstack-security21:37
*** paulmo has quit IRC22:13
*** paulmo has joined #openstack-security22:19
tmcpeakvoodookid: sorry I'm late22:55
tmcpeakvoodookid: you still around?22:55
voodookidno worries22:55
tmcpeakfirst of all, welcome to OpenStack Security Group22:56
tmcpeaksecond of all, what do you mean about using Python functions to do things?22:56
voodookidsorry, I am re-reading what I wrote, it is a bit unclear. I meant, instead of using subprocess, why don't we code something up that does what we want, instead of using an external tool.22:57
tmcpeakoh, yeah, so what this is about is detecting the usage of subprocess that has the shell=True parameter set22:58
voodookidwondering if it was a philosohical reason, a software development reason, or just easier to do with with an external tool22:58
tmcpeakwe aren't using subprocess ourselves, we are trying to detect it, because when you use shell=True in subprocess you may be vulnerable to shell injection22:58
tmcpeakthe code I pasted is part of a check we are working on to scan code for sections like that where it may be vulnerable22:59
voodookidokay, follow up question, can we say that it would be a good idea to avoid using subproccess? ( I swear I am not trying to be a pain, I am trying to wrap my head around how things get done.)22:59
tmcpeakvoodookid: no worries, subprocess itself is not a security issue.  Sometimes it's the best way to get stuff done.  But there is a best practice for usage, which is to pass the command that you are trying to use and the parameters to the command separately23:00
tmcpeakyou can see this for more information on why23:01
voodookidtmcpeak: thanks, I am reading now. I am now wondering if the user who runs subproccess has their shell set to /bin/false or /bin/noshell it will not let them work23:04
tmcpeakvoodookid: interesting question, that's a pretty far out edge case, and I don't know how subprocess would handle it23:05
*** paulmo has quit IRC23:06
voodookidcould make it a recommendation that when you install openstack, the user that runs the service should be a service account, not a user account. "useradd -r -s /bin/false <username>" is how you would do it in linux.23:07
voodookidI dunno, still learning the code a bit more and saw your test come up and was wondering about some of this, so I thought I would pipe up23:07
tmcpeakvoodookid: that would probably break a lot of the functionality23:07
voodookid'tis what I figured. I also do not know if having the user's shell set to /bin/false would make it if Shell=True to solve the problem to begin with.23:08
voodookidI am willing to dig, but that sounds like a larger fix for a problem that may not exist23:08
tmcpeakvoodookid: yeah, it's probably better just to parameterize the input to subrpocess, and then not worry about it as much23:08
tmcpeakvoodookid: yeah probably a problem that doesn't exist, but hang on to that willingness to dig, we can definitely use that23:09
voodookidI am willing to dig. Right now I am really trying to get into Nova to get a feel for how this runs. I am looking at certificate authority related code, which uses subprocess, hence this whole line of thinking.23:10
tmcpeakhmm, have you talked to nkinder_23:11
tmcpeaknkinder_: <--23:11
voodookidno, I have been fairly quiet so far23:11
nkinder_my ears are burning...23:11
tmcpeakhe may be able to point you to an easier place to dive in if you're looking for a good start point23:11
tmcpeakvoodookid wants to dig23:12
tmcpeakgot any choice spots?23:12
voodookidthan nova or the CA stuff?23:12
tmcpeakwell Nova is pretty complicated for someone new23:12
tmcpeakit might be easier and more rewarding to dig in another important but under-served area23:12
tmcpeakif you're up for that23:12
voodookidI am all for under-served areas23:13
tmcpeaksweet, nkinder_ is the guy23:13
nkinder_ok, just read the scroll-back23:14
nkinder_I think most services do run as service accounts23:14
nkinder_voodookid: let me launch my icehouse setup to see what the shell is set to23:15
voodookidnkinder_: sweet. Thanks.23:16
voodookidtmcpeak: thanks for answering my questions23:16
tmcpeakvoodookid: sure, and again, welcome23:16
nkinder_voodookid: but I think it's fine if they have no shell set, as they don't nee to actually log in23:16
nkinder_voodookid: which CA stuff are you looking at?  The only thing really CA related in OpenStack is Barbican23:17
voodookidI was wondering if the user the service runs as has $SHELL=/bin/false that if Shell=True in subprocess if that is a remediation for potentially dangerous code.23:18
voodookidnkinder_: under nova/CA there is some shell scripts and I recall some code using it. Perhaps it is no longer being used?23:18
nkinder_voodookid: the shell stuff would be easy enough to test in an interactive python session23:19
voodookidin nova/crypto.py23:19
voodookidnkinder_: yeah, I am thinking the same thing.23:20
voodookidI am going to go home, need to walk my dog, but I will be back in a bit. Thanks again nkinder_ and tmcpeak23:20
*** voodookid has quit IRC23:21
nkinder_voodookid: that nova stuff looks crusty23:21
tmcpeaknkinder_: what's this?23:21
nkinder_tmcpeak: eh, just old cert handling code in nova23:22
tmcpeaknkinder_: something to look at? sounds juicy23:22
nkinder_tmcpeak: it's just wrappers around openssl cli23:22
tmcpeaknkinder_: I don't see any subprocess calls in this23:23
nkinder_tmcpeak: I think it might be for things like vpn23:23
nkinder_tmcpeak: which would go away as neutron is used more23:24
tmcpeaknknider_: this is calling utils.execute23:24
tmcpeakbut it looks parameterized23:24
*** tmcpeak has quit IRC23:49

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!