| *** openstack has joined #openstack-security | 10:51 | |
| *** viraptor1 is now known as viraptor | 10:57 | |
| *** nkinder_ has quit IRC | 13:09 | |
| openstackgerrit | Christian Berendt proposed a change to openstack/security-doc: Fixed the syntax of the roadmap RST file https://review.openstack.org/103885 | 13:27 |
|---|---|---|
| *** nkinder_ has joined #openstack-security | 13:55 | |
| *** paulmo has joined #openstack-security | 14:20 | |
| *** voodookid has joined #openstack-security | 14:35 | |
| *** chair6_ is now known as chair6 | 15:13 | |
| *** bdpayne has joined #openstack-security | 16:34 | |
| *** bdpayne has quit IRC | 16:50 | |
| *** bdpayne has joined #openstack-security | 17:16 | |
| *** tmcpeak has joined #openstack-security | 17:28 | |
| tmcpeak | viraptor: you around? | 17:28 |
| tmcpeak | bdpayne: we've got some official openstack status I see | 17:37 |
| tmcpeak | :) | 17:37 |
| *** ved_lad has joined #openstack-security | 17:43 | |
| *** ved_lad has quit IRC | 17:43 | |
| bdpayne | tmcpeak in what way? | 17:45 |
| tmcpeak | the openstack* bots hanging out for starters ;) | 17:45 |
| bdpayne | yeah, be nice to the overlords | 17:45 |
| tmcpeak | bdpayne: what kind of stuff are they going to publish now? | 17:45 |
| bdpayne | did you see my email yesterday? | 17:46 |
| tmcpeak | bdpayne: to ML? | 17:46 |
| paulmo | Everything you type is now published on the interwebs! :) | 17:46 |
| tmcpeak | paulmo: gasp | 17:46 |
| bdpayne | yeah, there's a log of everything | 17:46 |
| bdpayne | http://eavesdrop.openstack.org/irclogs/%23openstack-security/%23openstack-security.2014-07-01.log | 17:46 |
| tmcpeak | paulmo: guess it's time to clean up my act | 17:46 |
| paulmo | Notice I've been more quiet lately? haha | 17:46 |
| bdpayne | hopefully people are cool with this | 17:47 |
| tmcpeak | ;) | 17:47 |
| bdpayne | I actually find it helpful | 17:47 |
| tmcpeak | bdpayne: yeah, it's good | 17:47 |
| paulmo | Just kidding around, we do this in Solum too | 17:47 |
| tmcpeak | bdpayne: where's the email? | 17:47 |
| bdpayne | I sent it to the openstack-security ML | 17:47 |
| paulmo | June 30th at 3:57 PM CST to openstack-security ML | 17:47 |
| tmcpeak | bdpyane: ahh yeah, I see it | 17:48 |
| tmcpeak | good stuff | 17:48 |
| bdpayne | we should also start getting notifications in here | 17:48 |
| bdpayne | for gerrit reviews on the security guide | 17:48 |
| bdpayne | and, once we move the OSSNs into that repository, for those as well | 17:48 |
| tmcpeak | bdpayne: awesome | 17:49 |
| hyakuhei | Hey guys | 18:03 |
| bdpayne | hey | 18:04 |
| *** nkinder_ has quit IRC | 18:04 | |
| tmcpeak | hyakuhei: what's up? | 18:06 |
| tmcpeak | how it goes? | 18:06 |
| hyakuhei | Hey not bad thanks, how's the gate test magic coming along? | 18:09 |
| tmcpeak | hyakuhei: haven't done much since last week, next steps are to make sure from a "hacking" perspective what I've done is clean | 18:12 |
| tmcpeak | then find out about how to get it non-blocking on the gate test | 18:13 |
| tmcpeak | I also sent an email to viraptor about it in case he knows about any of those things | 18:13 |
| tmcpeak | I'd like to pick jogo's brain but he has been away this week | 18:13 |
| *** ved_lad has joined #openstack-security | 18:19 | |
| *** nkinder_ has joined #openstack-security | 18:21 | |
| tmcpeak | anybody know what it means to wrap long lines with parenthesis in Python? | 18:26 |
| hyakuhei | Feel free to CC me, I'd like to know whats going on | 18:28 |
| hyakuhei | As for line wrapping in python, I think pep8 sets the rules but it's not complicated :) | 18:28 |
| tmcpeak | hyakuhei: ok cool, I'll send it to you | 18:28 |
| tmcpeak | I could prob. just use a shorter variable name :) | 18:29 |
| tmcpeak | sent | 18:31 |
| *** nkinder_ has quit IRC | 18:43 | |
| *** nkinder_ has joined #openstack-security | 18:55 | |
| paulmo | tmcpeak: Yeah, don't use \ at the end to continue lines, () instead | 18:55 |
| tmcpeak | paulmo: how does that work? | 18:56 |
| tmcpeak | (bla bla bla bla | 18:56 |
| tmcpeak | bla bla bla) ? | 18:57 |
| bdpayne | yep | 18:58 |
| bdpayne | indent the second line so that the chars aline... the ( should have a space under it) | 18:59 |
| bdpayne | and keep your lines to <= 79 chars | 18:59 |
| bdpayne | that's about it | 18:59 |
| tmcpeak | bdpayne: ok cool | 18:59 |
| paulmo | Basically, sorry, in and out a lot :) | 19:00 |
| tmcpeak | paulmo: all good ;) | 19:00 |
| tmcpeak | I'm having a strange little problem with my hacking check | 19:00 |
| tmcpeak | the code is this: | 19:00 |
| tmcpeak | def sec_shell_eq_true(logical_line): | 19:01 |
| tmcpeak | # ignore spaces in the line, to find shell = True, shell =True, etc | 19:01 |
| tmcpeak | line_no_sp = logical_line.replace(' ', '') | 19:01 |
| tmcpeak | if 'shell=True' in line_no_sp and 'subprocess' in line_no_sp: | 19:01 |
| tmcpeak | yield(0, "Security risk: use of shell=True in subprocess call.") | 19:01 |
| tmcpeak | and it outputs this | 19:01 |
| tmcpeak | ./glance/tests/utils.py:281:5: Secu ity risk: use of shell=True in subprocess call. | 19:01 |
| tmcpeak | ./glance/tests/unit/test_migrations.py:176:13: Secu ity risk: use of shell=True in subprocess call. | 19:01 |
| tmcpeak | notice the missing 'r' in Security risk: | 19:01 |
| tmcpeak | don't know how that's possibly happening | 19:01 |
| bdpayne | that's ... special | 19:02 |
| tmcpeak | yeah, super special | 19:02 |
| openstackgerrit | Christian Berendt proposed a change to openstack/security-doc: Renamed bk-openstack-sec-guide.xml to bk-openstack-security-guide.xml https://review.openstack.org/103985 | 19:50 |
| voodookid | tmcpeak: newbie here, but is there a case to be made that perhaps we want to use python functions to do things if we can? | 19:52 |
| *** ved_lad has quit IRC | 19:58 | |
| *** nkinder_ has quit IRC | 20:02 | |
| *** ved_lad has joined #openstack-security | 20:15 | |
| *** nkinder_ has joined #openstack-security | 20:45 | |
| *** ved_lad has quit IRC | 21:30 | |
| *** ved_lad has joined #openstack-security | 21:37 | |
| *** paulmo has quit IRC | 22:13 | |
| *** paulmo has joined #openstack-security | 22:19 | |
| tmcpeak | voodookid: sorry I'm late | 22:55 |
| tmcpeak | voodookid: you still around? | 22:55 |
| voodookid | no worries | 22:55 |
| voodookid | yeah | 22:55 |
| tmcpeak | first of all, welcome to OpenStack Security Group | 22:56 |
| tmcpeak | second of all, what do you mean about using Python functions to do things? | 22:56 |
| voodookid | sorry, I am re-reading what I wrote, it is a bit unclear. I meant, instead of using subprocess, why don't we code something up that does what we want, instead of using an external tool. | 22:57 |
| tmcpeak | oh, yeah, so what this is about is detecting the usage of subprocess that has the shell=True parameter set | 22:58 |
| voodookid | wondering if it was a philosohical reason, a software development reason, or just easier to do with with an external tool | 22:58 |
| tmcpeak | we aren't using subprocess ourselves, we are trying to detect it, because when you use shell=True in subprocess you may be vulnerable to shell injection | 22:58 |
| tmcpeak | the code I pasted is part of a check we are working on to scan code for sections like that where it may be vulnerable | 22:59 |
| voodookid | okay, follow up question, can we say that it would be a good idea to avoid using subproccess? ( I swear I am not trying to be a pain, I am trying to wrap my head around how things get done.) | 22:59 |
| tmcpeak | voodookid: no worries, subprocess itself is not a security issue. Sometimes it's the best way to get stuff done. But there is a best practice for usage, which is to pass the command that you are trying to use and the parameters to the command separately | 23:00 |
| tmcpeak | you can see this for more information on why | 23:01 |
| tmcpeak | https://docs.python.org/3.2/library/subprocess.html | 23:01 |
| voodookid | tmcpeak: thanks, I am reading now. I am now wondering if the user who runs subproccess has their shell set to /bin/false or /bin/noshell it will not let them work | 23:04 |
| tmcpeak | voodookid: interesting question, that's a pretty far out edge case, and I don't know how subprocess would handle it | 23:05 |
| *** paulmo has quit IRC | 23:06 | |
| voodookid | could make it a recommendation that when you install openstack, the user that runs the service should be a service account, not a user account. "useradd -r -s /bin/false <username>" is how you would do it in linux. | 23:07 |
| voodookid | I dunno, still learning the code a bit more and saw your test come up and was wondering about some of this, so I thought I would pipe up | 23:07 |
| tmcpeak | voodookid: that would probably break a lot of the functionality | 23:07 |
| voodookid | 'tis what I figured. I also do not know if having the user's shell set to /bin/false would make it if Shell=True to solve the problem to begin with. | 23:08 |
| voodookid | I am willing to dig, but that sounds like a larger fix for a problem that may not exist | 23:08 |
| tmcpeak | voodookid: yeah, it's probably better just to parameterize the input to subrpocess, and then not worry about it as much | 23:08 |
| tmcpeak | voodookid: yeah probably a problem that doesn't exist, but hang on to that willingness to dig, we can definitely use that | 23:09 |
| voodookid | I am willing to dig. Right now I am really trying to get into Nova to get a feel for how this runs. I am looking at certificate authority related code, which uses subprocess, hence this whole line of thinking. | 23:10 |
| tmcpeak | hmm, have you talked to nkinder_ | 23:11 |
| tmcpeak | nkinder_: <-- | 23:11 |
| voodookid | no, I have been fairly quiet so far | 23:11 |
| nkinder_ | my ears are burning... | 23:11 |
| tmcpeak | he may be able to point you to an easier place to dive in if you're looking for a good start point | 23:11 |
| tmcpeak | voodookid wants to dig | 23:12 |
| tmcpeak | got any choice spots? | 23:12 |
| voodookid | than nova or the CA stuff? | 23:12 |
| tmcpeak | well Nova is pretty complicated for someone new | 23:12 |
| tmcpeak | it might be easier and more rewarding to dig in another important but under-served area | 23:12 |
| tmcpeak | if you're up for that | 23:12 |
| voodookid | I am all for under-served areas | 23:13 |
| tmcpeak | sweet, nkinder_ is the guy | 23:13 |
| nkinder_ | ok, just read the scroll-back | 23:14 |
| nkinder_ | I think most services do run as service accounts | 23:14 |
| nkinder_ | voodookid: let me launch my icehouse setup to see what the shell is set to | 23:15 |
| voodookid | nkinder_: sweet. Thanks. | 23:16 |
| voodookid | tmcpeak: thanks for answering my questions | 23:16 |
| tmcpeak | voodookid: sure, and again, welcome | 23:16 |
| nkinder_ | voodookid: but I think it's fine if they have no shell set, as they don't nee to actually log in | 23:16 |
| nkinder_ | voodookid: which CA stuff are you looking at? The only thing really CA related in OpenStack is Barbican | 23:17 |
| voodookid | I was wondering if the user the service runs as has $SHELL=/bin/false that if Shell=True in subprocess if that is a remediation for potentially dangerous code. | 23:18 |
| voodookid | nkinder_: under nova/CA there is some shell scripts and I recall some code using it. Perhaps it is no longer being used? | 23:18 |
| nkinder_ | voodookid: the shell stuff would be easy enough to test in an interactive python session | 23:19 |
| voodookid | in nova/crypto.py | 23:19 |
| voodookid | nkinder_: yeah, I am thinking the same thing. | 23:20 |
| voodookid | I am going to go home, need to walk my dog, but I will be back in a bit. Thanks again nkinder_ and tmcpeak | 23:20 |
| *** voodookid has quit IRC | 23:21 | |
| nkinder_ | voodookid: that nova stuff looks crusty | 23:21 |
| nkinder_ | darn... | 23:21 |
| tmcpeak | nkinder_: what's this? | 23:21 |
| nkinder_ | tmcpeak: eh, just old cert handling code in nova | 23:22 |
| tmcpeak | nkinder_: something to look at? sounds juicy | 23:22 |
| nkinder_ | tmcpeak: it's just wrappers around openssl cli | 23:22 |
| tmcpeak | nkinder_: I don't see any subprocess calls in this | 23:23 |
| nkinder_ | tmcpeak: I think it might be for things like vpn | 23:23 |
| nkinder_ | tmcpeak: which would go away as neutron is used more | 23:24 |
| tmcpeak | nknider_: this is calling utils.execute | 23:24 |
| tmcpeak | but it looks parameterized | 23:24 |
| *** tmcpeak has quit IRC | 23:49 | |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!