incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John Kinsella (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-967) security hazard: passwordless root sudo for cloud user
Date Sun, 13 Jan 2013 02:58:12 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-967?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13552127#comment-13552127
] 

John Kinsella commented on CLOUDSTACK-967:
------------------------------------------

Concur.

Just looked through my sudo logs, this is what I see it running:

sudo:    cloud : TTY=unknown ; PWD=/var/lib/cloud/management ; USER=root ; COMMAND=/bin/cp
-b /usr/lib64/cloud/common/vms/systemvm.iso /usr/lib64/cloud/common/vms/systemvm.iso.bak
sudo:    cloud : TTY=unknown ; PWD=/var/lib/cloud/management ; USER=root ; COMMAND=/bin/cp
-fr /var/lib/cloud/management/systemvm_mnt/authorized_keys /var/lib/cloud/management/systemvm_mnt/cloud-scripts.tgz
/var/lib/cloud/management/systemvm_mnt/systemvm.zip /tmp/cloud/systemvm/
sudo:    cloud : TTY=unknown ; PWD=/var/lib/cloud/management ; USER=root ; COMMAND=/bin/cp
/var/lib/cloud/management/.ssh/id_rsa.pub /tmp/cloud/systemvm/authorized_keys
sudo:    cloud : TTY=unknown ; PWD=/var/lib/cloud/management ; USER=root ; COMMAND=/bin/cp
-f /tmp/systemvm.iso /usr/lib64/cloud/common/vms/systemvm.iso
sudo:    cloud : TTY=unknown ; PWD=/var/lib/cloud/management ; USER=root ; COMMAND=/bin/cp
-fb /var/lib/cloud/management/.ssh/id_rsa /usr/lib64/cloud/common/scripts/vm/systemvm/id_rsa.cloud
sudo:    cloud : TTY=unknown ; PWD=/var/lib/cloud/management ; USER=root ; COMMAND=/bin/chmod
644 /usr/lib64/cloud/common/scripts/vm/systemvm/id_rsa.cloud
sudo:    cloud : TTY=unknown ; PWD=/var/lib/cloud/management ; USER=root ; COMMAND=/bin/mkdir
-p /var/lib/cloud/management/systemvm_mntsudo:    cloud : TTY=unknown ; PWD=/var/lib/cloud/management
; USER=root ; COMMAND=/bin/mount -o loop /usr/lib64/cloud/common/vms/systemvm.iso /var/lib/cloud/management/systemvm_mnt
sudo:    cloud : TTY=unknown ; PWD=/var/lib/cloud/management ; USER=root ; COMMAND=/bin/umount
/var/lib/cloud/management/systemvm_mnt
                
> security hazard: passwordless root sudo for cloud user
> ------------------------------------------------------
>
>                 Key: CLOUDSTACK-967
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-967
>             Project: CloudStack
>          Issue Type: Improvement
>      Security Level: Public(Anyone can view this level - this is the default.) 
>            Reporter: Noa Resare
>              Labels: security
>
> When running the setup-cloud-management program, it installs a terrible entry in the
file /etc/sudoers:
> cloud ALL =NOPASSWD : ALL
> To the uninitiated: this means that the user 'cloud' can become root without supplying
a password via the sudo facility.
> This is obviously very, very bad from a security perspective. Any security vulnerability
where an attacker (remote or local) can trick the cloudstack server component to execute arbitrary
tasks immediately escalates into root access.
> Let's figure out what permissions cloudstack actually needs and fix this.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message