You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ambari.apache.org by Andrew Onischuk <ao...@hortonworks.com> on 2015/09/14 13:55:30 UTC
Review Request 38353: Verify if restricting acls on
/var/lib/ambari-agent/data will be OK
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/38353/
-----------------------------------------------------------
Review request for Ambari and Dmitro Lisnichenko.
Bugs: AMBARI-13087
https://issues.apache.org/jira/browse/AMBARI-13087
Repository: ambari
Description
-------
**DO NOT CREATE AN EXTERNAL APACHE JIRA**
Add the findings to this JIRA. This is a potential security issue and hence a
different process needs to be followed.
1\. the permissions of the /var/lib/ambari-agent/data folder is 0744. The data
folder contains output and error streams from all ambari agents’ commands. If
a script prints any of its parameters to the screen, such as passwords, either
while succeeding, or when an exception is thrown, then all users on the system
are able to read this data. Unless we’re mistaken, the correct permissions on
this folder should be 0700.
2\. The permissions of the /var/lib/ambari-agent/keys/<hostname>.key private
key is set to 0644. This makes the private key of the ambari agent publically
readable. As far as we know, ambari agents talk to the server with SSL using
the key placed here (if SSL is enabled). We think that within a short amount
of time it is possible for any user on the system to craft the call to the
ambari server pretending to be the ambari agent heartbeat, and intercept all
configurations being sent to the ambari agent. These configurations contain
all parameters of the cluster, and are therefore prone to containing admin
passwords, it undermines the SSL encryption completely. Unless we’re mistaken,
the correct permissions should be 0600.
Further suggestions:
chmod -R 0600 /var/lib/ambari-agent/data
chmod -R a+X /var/lib/ambari-agent/data
chmod -R a+rx /var/lib/ambari-agent/data/tmp
chmod 0600 /var/lib/ambari-agent/keys/*.key
Ideally ambari would separate out this temporary directory and even smartly
review creation of files to be chowned to the correct user. These scripts
often are created from templates and may then also possibly contain passwords.
**DO NOT CREATE AN EXTERNAL APACHE JIRA**
Diffs
-----
ambari-agent/conf/unix/ambari-agent.ini abfde62
ambari-agent/conf/unix/install-helper.sh 48391d5
ambari-agent/pom.xml c2bee4a
ambari-agent/src/main/python/ambari_agent/Constants.py PRE-CREATION
ambari-agent/src/main/python/ambari_agent/CustomServiceOrchestrator.py 6ee929cb
ambari-agent/src/main/python/ambari_agent/alerts/metric_alert.py aa4ad75
ambari-agent/src/main/python/ambari_agent/alerts/script_alert.py 76afbc9
ambari-agent/src/main/python/ambari_agent/alerts/web_alert.py b76d5e0
ambari-agent/src/main/python/ambari_agent/security.py bfaf134
ambari-agent/src/test/python/ambari_agent/TestCertGeneration.py d188dbd
ambari-agent/src/test/python/ambari_agent/TestCustomServiceOrchestrator.py 831ecce
ambari-agent/src/test/python/ambari_agent/TestSecurity.py c47172a
ambari-common/src/main/python/resource_management/libraries/script/script.py a2c0c45
ambari-server/src/main/python/bootstrap.py 98a3a93
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/namenode.py 1415367
ambari-server/src/test/python/TestBootstrap.py 1fcb3ad
Diff: https://reviews.apache.org/r/38353/diff/
Testing
-------
mvn clean test
Thanks,
Andrew Onischuk
Re: Review Request 38353: Verify if restricting acls on
/var/lib/ambari-agent/data will be OK
Posted by Andrew Onischuk <ao...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/38353/
-----------------------------------------------------------
(Updated Sept. 14, 2015, 11:58 a.m.)
Review request for Ambari and Dmitro Lisnichenko.
Bugs: AMBARI-13087
https://issues.apache.org/jira/browse/AMBARI-13087
Repository: ambari
Description (updated)
-------
-
Diffs
-----
ambari-agent/conf/unix/ambari-agent.ini abfde62
ambari-agent/conf/unix/install-helper.sh 48391d5
ambari-agent/pom.xml c2bee4a
ambari-agent/src/main/python/ambari_agent/Constants.py PRE-CREATION
ambari-agent/src/main/python/ambari_agent/CustomServiceOrchestrator.py 6ee929cb
ambari-agent/src/main/python/ambari_agent/alerts/metric_alert.py aa4ad75
ambari-agent/src/main/python/ambari_agent/alerts/script_alert.py 76afbc9
ambari-agent/src/main/python/ambari_agent/alerts/web_alert.py b76d5e0
ambari-agent/src/main/python/ambari_agent/security.py bfaf134
ambari-agent/src/test/python/ambari_agent/TestCertGeneration.py d188dbd
ambari-agent/src/test/python/ambari_agent/TestCustomServiceOrchestrator.py 831ecce
ambari-agent/src/test/python/ambari_agent/TestSecurity.py c47172a
ambari-common/src/main/python/resource_management/libraries/script/script.py a2c0c45
ambari-server/src/main/python/bootstrap.py 98a3a93
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/namenode.py 1415367
ambari-server/src/test/python/TestBootstrap.py 1fcb3ad
Diff: https://reviews.apache.org/r/38353/diff/
Testing
-------
mvn clean test
Thanks,
Andrew Onischuk
Re: Review Request 38353: Verify if restricting acls on
/var/lib/ambari-agent/data will be OK
Posted by Dmitro Lisnichenko <dl...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/38353/#review98833
-----------------------------------------------------------
Ship it!
Ship It!
- Dmitro Lisnichenko
On Sept. 14, 2015, 11:55 a.m., Andrew Onischuk wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/38353/
> -----------------------------------------------------------
>
> (Updated Sept. 14, 2015, 11:55 a.m.)
>
>
> Review request for Ambari and Dmitro Lisnichenko.
>
>
> Bugs: AMBARI-13087
> https://issues.apache.org/jira/browse/AMBARI-13087
>
>
> Repository: ambari
>
>
> Description
> -------
>
> **DO NOT CREATE AN EXTERNAL APACHE JIRA**
> Add the findings to this JIRA. This is a potential security issue and hence a
> different process needs to be followed.
>
> 1\. the permissions of the /var/lib/ambari-agent/data folder is 0744. The data
> folder contains output and error streams from all ambari agents’ commands. If
> a script prints any of its parameters to the screen, such as passwords, either
> while succeeding, or when an exception is thrown, then all users on the system
> are able to read this data. Unless we’re mistaken, the correct permissions on
> this folder should be 0700.
>
> 2\. The permissions of the /var/lib/ambari-agent/keys/<hostname>.key private
> key is set to 0644. This makes the private key of the ambari agent publically
> readable. As far as we know, ambari agents talk to the server with SSL using
> the key placed here (if SSL is enabled). We think that within a short amount
> of time it is possible for any user on the system to craft the call to the
> ambari server pretending to be the ambari agent heartbeat, and intercept all
> configurations being sent to the ambari agent. These configurations contain
> all parameters of the cluster, and are therefore prone to containing admin
> passwords, it undermines the SSL encryption completely. Unless we’re mistaken,
> the correct permissions should be 0600.
>
> Further suggestions:
> chmod -R 0600 /var/lib/ambari-agent/data
> chmod -R a+X /var/lib/ambari-agent/data
> chmod -R a+rx /var/lib/ambari-agent/data/tmp
> chmod 0600 /var/lib/ambari-agent/keys/*.key
>
> Ideally ambari would separate out this temporary directory and even smartly
> review creation of files to be chowned to the correct user. These scripts
> often are created from templates and may then also possibly contain passwords.
>
> **DO NOT CREATE AN EXTERNAL APACHE JIRA**
>
>
> Diffs
> -----
>
> ambari-agent/conf/unix/ambari-agent.ini abfde62
> ambari-agent/conf/unix/install-helper.sh 48391d5
> ambari-agent/pom.xml c2bee4a
> ambari-agent/src/main/python/ambari_agent/Constants.py PRE-CREATION
> ambari-agent/src/main/python/ambari_agent/CustomServiceOrchestrator.py 6ee929cb
> ambari-agent/src/main/python/ambari_agent/alerts/metric_alert.py aa4ad75
> ambari-agent/src/main/python/ambari_agent/alerts/script_alert.py 76afbc9
> ambari-agent/src/main/python/ambari_agent/alerts/web_alert.py b76d5e0
> ambari-agent/src/main/python/ambari_agent/security.py bfaf134
> ambari-agent/src/test/python/ambari_agent/TestCertGeneration.py d188dbd
> ambari-agent/src/test/python/ambari_agent/TestCustomServiceOrchestrator.py 831ecce
> ambari-agent/src/test/python/ambari_agent/TestSecurity.py c47172a
> ambari-common/src/main/python/resource_management/libraries/script/script.py a2c0c45
> ambari-server/src/main/python/bootstrap.py 98a3a93
> ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/package/scripts/namenode.py 1415367
> ambari-server/src/test/python/TestBootstrap.py 1fcb3ad
>
> Diff: https://reviews.apache.org/r/38353/diff/
>
>
> Testing
> -------
>
> mvn clean test
>
>
> Thanks,
>
> Andrew Onischuk
>
>