OpenStack Backup/Restore and DR (Freezer)

Implement subprocess.Popen safely

Registered by Fausto Marzi

Currently most of the subprocess.Popen calls in Freezer are implemented with shell=True as argument.
This is insecure and needs to be changed. shell=True needs to be removed, the command arguments needs to be provided as list (maybe using the current string.split(). This needs to be done asap, as in case we use an API to configure freezer, this may lead to remote command execution, with commands injected from the API. Also as the default shell for subprocess.Popen is /bin/sh, can be helpful to add an argument as env=os.environ.copy().

Blueprint information

Status:
Started
Approver:
Fausto Marzi
Priority:
Medium
Drafter:
Fausto Marzi
Direction:
Needs approval
Assignee:
None
Definition:
Discussion
Series goal:
None
Implementation:
Blocked
Milestone target:
None
Started by
Pierre-Arthur MATHIEU

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/sec-subprocess,n,z

Addressed by: https://review.openstack.org/410169
    Implement subprocess.Popen safely

Implementing this will break backup encryption. We use a pipe to pass tar output to openssl. Pipes are not working without shell=True

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.
Edit subscription

Subscribers

No subscribers.