Thursday, 2014-09-04

*** dmccowan has quit IRC00:09
*** dmccowan has joined #openstack-security00:20
*** dmccowan has quit IRC00:25
*** dmccowan_ has joined #openstack-security00:25
*** bdpayne has quit IRC00:42
*** voodookid has joined #openstack-security01:54
*** amrith is now known as _amrith_02:41
*** zz_naotok is now known as naotok03:04
*** dmccowan_ has quit IRC03:20
*** voodookid has quit IRC03:36
openstackgerritOpenStack Proposal Bot proposed a change to openstack/security-doc: Imported Translations from Transifex
*** imam1 has joined #openstack-security09:45
*** imam1 has left #openstack-security09:50
*** _amrith_ is now known as amrith10:39
*** naotok is now known as zz_naotok10:45
*** dmccowan has joined #openstack-security11:00
*** dmccowan_ has joined #openstack-security11:30
*** dmccowan has quit IRC11:31
*** dmccowan_ is now known as dmccowan11:31
*** dmccowan has quit IRC11:43
*** jamielennox has quit IRC11:51
*** jamielennox has joined #openstack-security11:51
*** dmccowan has joined #openstack-security12:08
*** dmccowan_ has joined #openstack-security12:12
*** dmccowan has quit IRC12:12
*** dmccowan_ is now known as dmccowan12:12
*** amrith is now known as _amrith_12:35
*** nkinder has quit IRC13:12
*** bknudson has joined #openstack-security13:35
*** dmccowan has quit IRC13:47
*** nkinder has joined #openstack-security13:57
*** _amrith_ is now known as amrith14:02
*** tmcpeak has joined #openstack-security14:06
*** dmccowan has joined #openstack-security14:17
tmcpeakdmccowan: hey, how it goes?14:17
*** voodookid has joined #openstack-security14:34
dmccowanit goes well.  thanks for reaching out.14:35
tmcpeakdmccowan: sure, want to tell me a little bit about your background and what your interests are?14:38
dmccowanFor openstack, i've been building some proof of concepts locally.  I've adding a custom dashboard to horizon and and added a nova scheduler filter.  I plan to be more involved in the future, but I have an immediate goal of committing a security related patch.  Partly to learn git/gerrit and partly to get "ATC" status before the summit.14:41
tmcpeakdmccowan: in that case a good place to start for you might be the contribute to the OpenStack security guide14:42
*** voodookid has quit IRC14:42
openstackgerritA change was merged to openstack/security-doc: Imported Translations from Transifex
tmcpeaksuch as that one ^14:43
tmcpeaknevermind, that's not a great example14:43
*** voodookid has joined #openstack-security14:43
tmcpeakdmccowan: check this out -
tmcpeakthere are a backlog of changes that need to be made to the guide, it's usually pretty easy to make the change14:45
tmcpeakI think that should be good for ATC14:45
tmcpeakit's also a great way to get familiar with git/gerrit14:45
dmccowangreat.  i'll do that first.   i noticed from the last meet-up you identified some security vulnerabilities, if there's an unassigned bug (or to be written bug) for one of those i'd be interested in working a patch for one or more of them too.14:46
tmcpeakdmccowan: cool, we definitely have some of those14:47
tmcpeakdmccowan: are you familiar with the shell/command injection vulnerability when using shell=True to a Popen call?14:48
tmcpeakI found a few yesterday I haven't had time to track down yet, want to take one of those?14:48
tmcpeakif you aren't no problem, I can give you a link to read14:48
tmcpeakactually I'm working on this note:  which attempts to explain the issue14:48
dmccowani saw a mention of that on IRC earlier this week as I was lurking.  that sounds just like what i'm looking for.14:49
tmcpeakperfect, I'll give you a couple of locations in code, you can take a look, see if it is a vulnerability or isn't, if so why/why not, file a bug if it is, and take it from there14:49
tmcpeaksounds good?14:49
dmccowanyes, very good!14:49
dmccowanfor the security guide.  can you help me a cherry pick a bug to grab?14:50
tmcpeakbdpayne is probably a better guy to talk to for that, he should be on in an hour or so14:51
tmcpeakdmccowan: >> Popen call with shell=True identified, security issue.14:51
tmcpeak - ../OpenStack_projects//nova/nova/virt/baremetal/
tmcpeakso on that line in Nova, they are calling a Popen with shell=True.  Once you brush up on why that's a bad idea, see if you can trace through the code and figure out if that's a problem or not14:51
dmccowangot it.  thanks!14:54
tmcpeakcool, no prob.  Let me know if you get stuck14:55
openstackgerritTravis McPeak proposed a change to openstack/security-doc: Adding OSSN-0026: Unrestricted write permission to config files can allow code execution
*** bdpayne has joined #openstack-security15:08
tmcpeakbdpayne: dmccowan is interested in doing a little security guide work15:17
bdpaynehey... someone is up early :-)15:17
bdpaynewelcome dmccowan15:17
bdpayneany specific interests?15:17
dmccowanmy immediate interest to gain ATC status. :-)  midterm interest is around trust, such as Trusted Compute Pools.  longer term, anything security.15:19
tmcpeak;) WFH day, don't have to do that *special* commute15:19
bdpaynedmccowan ok, sounds good15:20
bdpayneI don't have insight into the ATC status process, so no guarentees there on the timing and such15:21
bdpaynealas, here's the list of open bugs on the book:
bdpayneare you familiar with using git / gerrit to submit changes?15:21
*** amrith is now known as _amrith_15:21
dmccowani've read the how-tos.  ready to give it a try.15:22
bdpaynehave you done much with git before?15:22
dmccowanenough to be dangerous.  i've worked on onther open source project that was git based.15:23
bdpayneok cool15:24
bdpayneso feel free to grab a bug and assign it to yourself15:24
bdpayneif you have any questions, please don't hesitiate to contact me15:24
bdpayneyou can just mention me in this channel15:24
dmccowancan you help me cherry pick one?15:24
bdpayneoh, and the guide is actually located at
bdpayneare you new to openstack?15:25
bdpaynethis may be a good one:
bdpayneyou can grep the source code for ssl and make changes to tls where appropriate :-)15:27
bdpayneand it's an important change to get us consistent / up to date15:28
dmccowani came to atlanta as a total newbie, but have been actively playing with it since.  i've done some POC work: custom dashboard in horizon, and a new Nova scheduler filter.  i've got a pretty good multi-node setup to use/recreate/play with.15:28
bdpayneah great, sounds like you're ramping up nicely :-)15:30
openstackgerritOpenStack Proposal Bot proposed a change to openstack/security-doc: Updated from openstack-manuals
bdpayneso yeah, take a look at the bug I mentioned above and let me know if you have any quesitons15:30
dmccowanwill do.  thanks!15:31
tmcpeaknkinder bdpayne paulmo voodookid: want to have a look at my OSSN if you have a chance?15:45
bdpaynesure, I'll do some reviewing later this morning and I'll check it out then15:45
tmcpeakbdpayne: sounds good15:45
nkindertmcpeak: yeah, it's on my list for today15:46
tmcpeaknkinder: cool15:47
paulmotmcpeak:  Nice, that is a good recommendation!15:47
tmcpeakpaulmo: thank you sir15:47
voodookidlooks good to me.15:48
paulmoIs there a higher level "umbrella"-like statement that recommends chmod'ing/chown'ing everything to the most locked down possible configuration?  It seems like this could happen in other places too.15:48
tmcpeakpaulmo: good point15:50
tmcpeakpaulmo: general least privilege best practice statement?15:51
voodookidtmcpeak paulmo: perhaps add that to the install documents as well?15:58
tmcpeakvoodookid: something like that should be in the security guide already15:58
voodookidalso, when the scripts create these files, could they put good ACLs on them?15:59
paulmoI would think so… good practice or it might get forgotten if it is a "manual" process16:02
paulmo(people dropping by to chat, kind of in and out of IRC right now)16:02
tmcpeakvoodookid: yeah I think they are generally created with decent permissions16:03
tmcpeakwould be something interesting to verify though16:03
*** voodookid has quit IRC16:12
*** voodookid has joined #openstack-security16:14
*** bdpayne has quit IRC16:20
*** _amrith_ is now known as amrith16:23
openstackgerritTravis McPeak proposed a change to openstack/security-doc: Adding OSSN-0026: Unrestricted write permission to config files can allow code execution
*** Priti has joined #openstack-security16:40
tmcpeakhey Priti16:40
tmcpeakhow it goes?16:40
Pritihey Travis16:40
tmcpeakenjoying the week off?16:41
tmcpeakhopefully you're getting a chance to rest up a bit16:41
Pritiyup totally, working on bunch of painting projects :)16:44
tmcpeaknice! I still want to buy one when you're ready to start selling them16:45
Pritiyup sure may be in few months16:47
tmcpeaksounds good16:47
tmcpeakcoming for the meeting today?16:47
*** sicarie has joined #openstack-security16:49
*** bdpayne has joined #openstack-security16:49
*** rlpple has joined #openstack-security17:04
rlpplejoin #openstack-meeting-alt for weekly meeting happening now.17:06
tmcpeakrlpple: +117:06
tmcpeakPriti: want to come give status on your OSSN?17:07
PritiYup, i am wrapping up the write up OSSN-20, finishing writeup on how to detect active connections17:08
Pritithanks to Randy for Pointers17:09
tmcpeakPriti: want to give status in #openstack-meeting-alt ?17:10
Pritiyup joining it17:10
*** Priti_ has joined #openstack-security17:11
openstackgerritA change was merged to openstack/security-doc: OSSN-0023 Keystone logs tokens at INFO levels
openstackgerritA change was merged to openstack/security-doc: Updated from openstack-manuals
*** Priti_ has quit IRC17:32
*** voodookid has quit IRC17:36
*** voodookid has joined #openstack-security17:37
bdpaynetmcpeak just reviewed your OSSN17:52
tmcpeakbdpayne: oh cool17:56
tmcpeakwhat'd you think?17:56
bdpayneclose, but not quite there yet17:56
tmcpeakI'll take a look at the feedback17:56
bdpaynealso, I assume this went through the VMT?17:56
tmcpeakyou mean I'm not dropping 0 days?17:56
bdpayneb/c I would argue that we should be doing input sanitization on that stuff17:57
bdpaynethe fact that we don't is pretty poor programming practices17:57
bdpayneI guess I was just wondering if they at least took it as a longer term hardening task17:57
tmcpeakbdpayne: yeah, in the launchpad bug they said they don't want to declare vulnerabilities for anything involving tampering with config files to get code execution because they think it's a slippery slope18:02
bdpayneyeah... I mean, there could then be lots of vulns18:03
bdpaynewell, this is unfortunate18:03
paulmoslippery slope of better security? heh18:03
bdpayneI think we should continue to push for fixes to these kinds of things18:03
bdpayne*all* input should be validated18:03
bdpaynefull stop18:03
paulmo+100 bdpayne18:03
openstackgerritPriti Desai proposed a change to openstack/security-doc: Adding note for OSSN-0020
*** Priti has quit IRC18:20
*** tmcpeak has quit IRC19:30
*** gabriela2 has joined #openstack-security19:45
*** gabriela2 has left #openstack-security19:47
*** amrith is now known as _amrith_19:53
*** bdpayne has quit IRC19:56
*** _amrith_ is now known as amrith19:56
*** bdpayne has joined #openstack-security19:57
openstackgerritNathaniel Dillon proposed a change to openstack/security-doc: Submitting new OSSN concerning Swift/Glance public images
*** tmcpeak has joined #openstack-security20:20
*** rlpple has quit IRC20:33
dmccowanhi tmcpeak20:39
bdpaynedmccowan not sure where he is... anything I can help with?20:42
dmccowanhe asked me this morning to look at for potential command injection through config files.  i've verified that there are two config parmeters that bring in command injection.  looking for next steps in this case.20:45
bdpayneah, gotcha20:45
dmccowanare we just documenting these for now, or is there a best practice for patching these yet?20:45
bdpaynewhich project is this in?20:46
bdpayneI would suggest that we should files bugs on this, but probably good to sync with tmcpeak because that may have already been done20:47
bdpaynethe bugs would be to track fixing it as a general hardening measure20:47
bdpayneI doubt that they will issue an OSSA/CVE for this20:48
dmccowanthis is an especially fun one, since one of the config parameters is the path and filename of an executable to be run.  the default is shellinabox (this is for start_console() )20:50
dmccowanthe other config parameter is the standard case, where if it is set to "; cat /etc/passwd" then there is command injection.  it's hard to justify fixing that one, when the other opening is there too.20:52
bdpayneboth should receive some form of input validation20:52
bdpaynethat's what I'd suggest putting into the bug report20:53
tmcpeaklet me catch up20:55
tmcpeakdmccowan: yeah, let's file some bugs!20:56
tmcpeakdmccowan: have you filed anything in launchpad before?20:56
dmccowani've made review comments, but not opened a new bug.20:57
tmcpeakwhere are the review comments?20:58
dmccowannot related to this.  i'll open a bug, and then send you a link to see if i got it right. :-)   I assume I should reference  it appears to be the "parent" bug for these type of issues.21:01
tmcpeakdmccowan: oh yeah, I didn't even know this existed.  So they are tracking it already.  But go ahead and open a new bug and reference this as the parent bug21:02
tmcpeakthe analysis that you have done should be really valuable21:02
tmcpeakit looks like work has stalled out on it21:02
*** paulmo has quit IRC21:10
bdpaynedid you file it as private?21:14
bdpayne(that link isn't working)21:14
dmccowantry now21:15
tmcpeakdmccowan: taking a look now21:17
bdpayneok, I can see it now21:18
bdpaynefwiw, normally I encourage filing security bugs as private... but in this case the discussion is already in the open and I think it makes more sense to just address these as hardening measures in the open21:19
tmcpeakdmccowan: this looks good21:20
tmcpeakbdpayne is right, generally file them as "security; private"21:20
tmcpeakbut discussion relating to other bugs has led us to know that VMT doesn't consider this embargo worthy21:21
dmccowangotcha.  it was private, and i needed "security; private".  but, i gathered from the IRC discussion today that this class of bug is not private anymore.21:22
dmccowantmcpeak, do you have any more of these on your list?21:22
dmccowanfor this bug, the next thing to happen is a nova core member will triage it?21:23
tmcpeakdmccowan: yeah, I've got a few21:24
tmcpeakthere's tons in Trove21:25
tmcpeakdmccowan: I guess it depends what  you want to do21:25
tmcpeakdo you want to file a bunch of bugs, or do you want to work this one vertically21:25
tmcpeakafter this gets verified you could attempt to patch the issue and get the whole chunk21:25
tmcpeakalso OSSN and guide work is a good way to get your feet wet while you wait21:26
tmcpeakoh, you assigned it to yourself already?21:26
tmcpeakor does it assign it automatically when you file it?21:26
dmccowani assigned it to myself.21:27
tmcpeakbdpayne: do you know if he has to wait until somebody verifies it, or can he just start working on the patch now?21:27
bdpaynecan certainly start working on it21:28
bdpaynethey may not take it without verification21:28
bdpaynebut it never hurts to have a patch associated with a bug21:28
tmcpeakso dmccowan: next step is to figure out how to fix it21:28
bdpaynenote that the nova review queue is long and back-logged21:29
tmcpeakoh, is it?21:29
bdpayneso, if/when we have a patch up for review, if it isn't getting traction then we may need to gently nudge some people21:29
tmcpeakbdpayne: wow21:29
bdpaynewe can cross that bridge when we get there21:29
tmcpeak1455 items!?!21:29
bdpaynesee, I'm not making this stuff up :-)21:30
tmcpeakthis is insane21:30
tmcpeak3 CVE bugs, and they are all from 201321:31
tmcpeakgood times21:31
dmccowancinder has an interesting solution.  in cinder/  there is the method check_ssh_injection(cmd_list).21:32
dmccowanit looks for ['`', '$', '|', '||', ';', '&', '&&', '>', '>>','<'] anywhere in the command list as a sign of injection21:33
tmcpeakyeah, basically blacklist dangerous characters21:34
*** dmccowan has quit IRC21:55
*** nkinder has quit IRC22:01
*** dmccowan has joined #openstack-security22:17
*** dmccowan_ has joined #openstack-security22:21
*** amrith is now known as _amrith_22:21
*** dmccowan has quit IRC22:21
*** dmccowan_ is now known as dmccowan22:21
*** sweston has quit IRC22:25
*** sweston has joined #openstack-security22:25
dmccowanhi bdpayne22:41
dmccowani see 714 matches of SSL in the current OSSG.  Do you envision most of them becoming TLS?  (or am I missing a something subtle?)22:42
*** nkinder has joined #openstack-security22:51
tmcpeakdmccowan: generally if you want to get attention from somebody put their name22:56
tmcpeakmost IRC clients are configured to do something if that happens22:56
tmcpeaknkinder: you around?22:56
*** voodookid has quit IRC23:06
tmcpeakbdpayne: you there?23:09
bdpayneI am23:09
tmcpeakso for your comment on OSSN-002623:09
tmcpeakTrove isn't out yet23:09
tmcpeakso if I mention the version I'd have to put Trove (Juno)23:09
tmcpeakwhich looks silly23:09
tmcpeaksince Juno isn't out yet23:09
tmcpeakI mean technically they could fix them all23:09
tmcpeakbut they won't23:09
tmcpeakso what should I put?23:09
tmcpeakbdpayne: ^23:10
bdpaynepart of what wasn't clear was if the , or the / took presidence23:10
tmcpeakit's kind of a tough problem23:10
tmcpeakmost OSSN's really are limited to one service and a couple of versions23:11
tmcpeakour traditional scheme doesn't apply well to this23:11
bdpayneI'm not too picky about what we say there, tbh... just as long as it is clear23:12
tmcpeakwhat would you recommend for Trove though23:12
tmcpeakif I put version it has to be Juno23:12
tmcpeakbecause there is no Trove in IceHouse23:12
bdpayneJuno or dev branch23:13
tmcpeakok cool23:13
tmcpeakbdpayne: about your comment for calling out the specific locations23:16
tmcpeakbdpayne: I'm hesitant to pick on a project, and also hesitant to list a bunch23:16
tmcpeakmaybe list one nova example and one trove?23:16
bdpayneseems reasonable23:17
bdpayneyou can make it clear that they are exmplare23:17
tmcpeakI'm just afraid it might be a moving target, I don't want the note to become stale23:17
tmcpeakyeah, that sounds reasonable23:17
bdpaynebut that helps to make it more concrete23:17
tmcpeaksure, yeah, sounds good23:17
tmcpeakbdpayne: for the examples, do you think I could just link to two examples in the code at the bottom?  If I show a couple of examples and then explain them it's going to get wordy23:26
*** sicarie has quit IRC23:28
bdpaynelinking to the code will go stale quickly23:32
bdpayneit may be sufficient to just call our the config param names23:32
tmcpeakhow about linking to a couple launchpad bugs23:32
bdpayneand then show the code the execs it23:32
bdpaynelinking to launchpad bugs could work23:32
tmcpeakthey aren't usually that simple23:32
tmcpeakit would be at least three steps always23:32
tmcpeakI'm kind of thinking linking to launchpad is probably a good middle ground23:33
bdpayneyeah, if there aren't simple / clean examples... then linking to the launchpad bugs is the way to go23:33
openstackgerritTravis McPeak proposed a change to openstack/security-doc: Adding OSSN-0026: Unrestricted write permission to config files can allow code execution
*** tmcpeak has quit IRC23:48
bdpaynetmcpeak re-reviewed :-)23:51

Generated by 2.14.0 by Marius Gedminas - find it at!