Bug 737229

Summary: security risk by enabled gofer builtin plugin in default rpm installation
Product: [Retired] Pulp Reporter: chris
Component: user-experienceAssignee: Jeff Ortel <jortel>
Status: CLOSED CURRENTRELEASE QA Contact: Preethi Thomas <pthomas>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: skarmark
Target Milestone: ---Keywords: Triaged
Target Release: Sprint 28   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-24 20:14:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description chris 2011-09-10 07:19:49 UTC
Hi all,

In the default pulp-consumer rpm installation, the gofer builtin plugin is enabled. 
This allows to call Shell.run() (from /usr/lib/gofer/plugins/builtin.py) unauthenticated :( 

Kindly,
Chris

Version-Release number of selected component (if applicable):

pulp-common-0.0.223-4.el6.noarch
pulp-consumer-0.0.223-4.el6.noarch
pulp-client-lib-0.0.223-4.el6.noarch
python-gofer-0.44-1.el6.noarch
gofer-0.44-1.el6.noarch


How reproducible:
yum install pulp-consumer

cat /etc/gofer/plugins/builtin.conf
[main]
enabled=1

[messaging]
url=
uuid=

Comment 1 Jeff Ortel 2011-09-19 15:24:37 UTC
Hey Chris,

Thanks for filing this.

I suspected this would come up a some point.  In 0.49, I  added PAM authentication capabilities to gofer and updated the Shell.run() method to require that a user and password be supplied.  The shell command is executed as the specified user and authenticated with the supplied password (via pam).   If disabling access to the Shell class (by default) is also necessary, I will probably move the Shell class from the builtin plugin to an new plugin that is packaged in it's own rpm.  I'd rather leave the builtin plugin enabled because it provides the Admin class containing a help() method.  The help() is generally useful and I don't see how it would present a security risk.

Do you think the Shell class needs to be installed in a separate plugin if a user and password is required and authenticated?  Or, is the authentication enough to mitigate the security risk?

-jeff

Comment 2 chris 2011-09-19 16:07:52 UTC
Hi Jeff,

thanks for your answer.

At my opinion an authenticated Shell class would be enough to mitigate the security risk and useable in my server environment. But a seperated plugin rpm would also be a fine solution because not every project (beyond pulp) need the Admin/Shell class installed on all client (gofer agent) systems.

kindly, chris

Comment 3 Jeff Ortel 2011-09-27 20:30:27 UTC
Shell.run() repackaged into a separate plugin (and rpm).  Also, locked down by PAM authentication.  Shell commands require a username and password.  The shell command is run as the specified user after PAM authentication.

Released in: gofer 0.49.

Comment 4 Jeff Ortel 2011-09-29 00:26:58 UTC
build: 0.235

Comment 5 Jeff Ortel 2011-10-03 19:39:09 UTC
Testing:

1) upgrade to gofer 0.50.
2) restart goferd
3) Do the following in python and note that the Shell class is no longer included in the "builtin" plugin by invoking the help() RMI.  The help() method shows a list of available plugins along with provided classes (and methods), functions and actions.

Then, create the Shell class and invoke the run() RMI and notice the ClassNotFound exception.

$ python
>>> from gofer import proxy
>>> agent = proxy.agent('jortel')
>>> admin = agent.Admin()
>>> print admin.help()
Plugins:

  <plugin> builtin
    Classes:
      <class> Admin
        methods:
          hello()
          help()
    Functions:
      echo(something)

Actions:
  builtin.TestAction.hello() 1 day, 12:00:00

>>> shell = agent.Shell()
>>> print shell.run('ps')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/site-packages/gofer/rmi/stub.py", line 72, in __call__
    return self.stub._send(request, opts)
  File "/usr/lib/python2.7/site-packages/gofer/rmi/stub.py", line 132, in _send
    return self.__send(request, options)
  File "/usr/lib/python2.7/site-packages/gofer/rmi/stub.py", line 162, in __send
    any=opts.any)
  File "/usr/lib/python2.7/site-packages/gofer/rmi/policy.py", line 144, in send
    return self.__getreply(sn, reader)
  File "/usr/lib/python2.7/site-packages/gofer/rmi/policy.py", line 181, in __getreply
    return self.__onreply(envelope)
  File "/usr/lib/python2.7/site-packages/gofer/rmi/policy.py", line 197, in __onreply
    raise RemoteException.instance(reply)
gofer.rmi.dispatcher.ClassNotFound: Shell

>>> exit

Comment 6 chris 2011-10-03 20:00:48 UTC
just works :) thanks a lot. you can close this issue.

regards, chris

Comment 7 Preethi Thomas 2011-10-04 15:51:07 UTC
verified
[root@preethi ~]# rpm -q pulp
pulp-0.0.237-2.fc15.noarch
[root@preethi ~]# 


[root@preethi ~]# python
Python 2.7.1 (r271:86832, Apr 12 2011, 16:15:16) 
[GCC 4.6.0 20110331 (Red Hat 4.6.0-2)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from gofer import proxy
>>> agent = proxy.agent('preethi')

>>> admin = agent.Admin()
>>> print admin.help()
Plugins:

  <plugin> pulpplugin
    Classes:
      <class> ProfileUpdateAction
        methods:
          perform()
      <class> Packages
        methods:
          install(names, reboot, assumeyes)
      <class> PackageGroups
        methods:
          install(groups)
      <class> Heartbeat
        methods:
          send()
    Functions:

  <plugin> consumer
    Classes:
      <class> Consumer
        methods:
          bind(repo_id, bind_data)
          unbind(repo_id)
          unregistered()
          update(repo_id, bind_data)
    Functions:

  <plugin> builtin
    Classes:
      <class> Admin
        methods:
          hello()
          help()
    Functions:
      echo(something)

Actions:
  pulpplugin.ProfileUpdateAction.perform() 4:00:00
  builtin.TestAction.hello() 1 day, 12:00:00
  pulpplugin.IdentityAction.perform() 0:00:01
  pulpplugin.Heartbeat.heartbeat() 0:00:10
>>> shell = agent.Shell()
>>> print shell.run('ps')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/site-packages/gofer/rmi/stub.py", line 72, in __call__
    return self.stub._send(request, opts)
  File "/usr/lib/python2.7/site-packages/gofer/rmi/stub.py", line 132, in _send
    return self.__send(request, options)
  File "/usr/lib/python2.7/site-packages/gofer/rmi/stub.py", line 162, in __send
    any=opts.any)
  File "/usr/lib/python2.7/site-packages/gofer/rmi/policy.py", line 144, in send
    return self.__getreply(sn, reader)
  File "/usr/lib/python2.7/site-packages/gofer/rmi/policy.py", line 181, in __getreply
    return self.__onreply(envelope)
  File "/usr/lib/python2.7/site-packages/gofer/rmi/policy.py", line 197, in __onreply
    raise RemoteException.instance(reply)
gofer.rmi.dispatcher.ClassNotFound: Shell
>>>

Comment 8 Preethi Thomas 2012-02-24 20:14:56 UTC
Pulp v1.0 is released
Closed Current Release.

Comment 9 Preethi Thomas 2012-02-24 20:19:47 UTC
Pulp v1.0 is released.