Further improvements for nova-rootwrap in Folsom

Registered by Thierry Carrez on 2012-04-12

Essex introduced nova-rootwrap command filtering. This spec collects all the improvements we intend to push in Folsom.

1. Move filter definition to configuration files
This will allow to plug new commands needed by plug-ins, and support other configuration options (like specifying a log file)

2. Support for executing Python instead of just shell commands
This will increase performance and security for sequences of simple shell commands

3. Nova-rootwrap logging
Use the new ability to support options to provide a log file that will audit all commands called as root and the matching filter.

4. New filters
Create more precise filters for dangerous commands (dd, chmod, chown...)

5. Study a move to openstack-common

Blueprint information

Status:
Complete
Approver:
Vish Ishaya
Priority:
High
Drafter:
Thierry Carrez
Direction:
Approved
Assignee:
Thierry Carrez
Definition:
Approved
Series goal:
None
Implementation:
Informational Informational
Milestone target:
None
Started by
Thierry Carrez on 2012-06-05
Completed by
Thierry Carrez on 2012-07-31

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/folsom-nova-rootwrap,n,z

Addressed by: https://review.openstack.org/8530
    Move rootwrap filters definition to rootwrap.

Has the been any looking into the following instead of a custom solution here?
    https://svn.apache.org/repos/asf/httpd/httpd/trunk/support/suexec.h
    https://svn.apache.org/repos/asf/httpd/httpd/trunk/support/suexec.c
This is what the apache httpd server uses for this case, might be useful to look at....

For how openssh does it:

http://www.openbsd.org/papers/openssh-measures-asiabsdcon2007.pdf (3.4)
http://www.citi.umich.edu/u/provos/papers/privsep.pdf (section 3)

Perhaps for the long term solution we should follow one of the above patterns?

Answer: both options are kinda valid for C programs but not so much for Python programs. A setuid-root wrapper like suexec was considered but distros and security people generally prefer to depend on sudo than on setuid-root (that's the reason why suexec is *not* shipped by default in apache or in any distro). OpenSSH relies on privilege dropping which means running the main code as root... with an interpreted language like Python that creates an unwelcome attack surface.

- How does what openssh does not work in python? How is an interpreted language any different here? It would seem like the principal is sound, no?

Answer: selective privilege dropping (which is what openssh does) is kinda hard to do securely in Python. Python is not designed to handle elevated rights in portions of a single interpreter process, there are lots of ways to escalate if you do that. The only safe way to do that in Python is to use separate processes for different rights. So one valid option would be to start a resident nova-rootwrap process as root that would listen to RPC from other (unprivileged) processes that would call it to run stuff as root. That option was presented when the design was originally discussed with various people with security experience, and everyone preferred to reduce the complexity of the Python code that would end up running as root: load a minimal number of modules and do the simplest you can. The chosen solution actually ensures that you run a minimal number of Python code lines as root. The chosen solution also had the benefit of being compatible with the previous mechanism (a.k.a. "just call sudo"), so the transition was smooth.

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.