No specification of absolute path when calling OS binaries
Multiple instances of calls to operating system binaries were identified with having no absolute paths. It is exploitable if someone can substitute os binary for example "cp" or "kill" with own harmful one.
Short research of binaries calls can be found here:
https:/
research was done against following packages:
python-glanceclient
python-
quantum
glance
oslo-incubator
python-
python-novaclient
keystone
nova
Idea inside our group to fix that problem is: walk through that packages and specify absolute paths of os binaries in source code.
Blueprint information
- Status:
- Not started
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- None
- Direction:
- Needs approval
- Assignee:
- Stanislav Pugachev
- Definition:
- New
- Series goal:
- None
- Implementation:
-
Unknown
- Milestone target:
- None
- Started by
- Completed by
Related branches
Related bugs
Sprints
Whiteboard
Sounds like too much work to make the code fragile in the face of different distro choices about where to put packages. Why not just sanity-check the PATH environment variable instead?
