From: Richard Purdie <richard.purdie@linuxfoundation.org>
To: "Damian, Alexandru" <alexandru.damian@intel.com>
Cc: "toaster@yoctoproject.org" <toaster@yoctoproject.org>
Subject: Re: FW: [RFC] blacklisted variables
Date: Fri, 19 Sep 2014 12:26:30 +0100 [thread overview]
Message-ID: <1411125990.4736.18.camel@ted> (raw)
In-Reply-To: <CAJ2CSBsNjGDFPH1sONcy34M_HM_6nnrzK5kPrtKOQ4uuwC=PqQ@mail.gmail.com>
On Fri, 2014-09-19 at 11:56 +0100, Damian, Alexandru wrote:
> Difficult to say; it's in the interest of those who would run toaster
> services open to the public.
>
> If we would be the ones to host the Toaster service, the effort would
> have to be supported by probably the whole Yocto team; we need to
> look into vulnerabilities that can be triggered by setting variables,
> e.g. remote code executions - I guess that Richard and Paul should
> take a look at how variables can be exploited in Bitbake, and then we
> need to audit the core layers too, since basically each recipe can do
> whatever it chooses with variables.
The nature of the way the metadata works is such that if you allow the
user any variable or metadata access, its like giving them a shell
account as the build user.
I don't see any way to change that and any of these audits are just
going to hide the problem, not solve it since fundamentally, bitbake is
a code execution engine. A simple example is setting a variable to
${@" ".join(open("/etc/shadow", "r").readlines())}. You could call into
your own function which opens up a socket and starts an ssh server quite
easily.
The structure of any public offering therefore needs to be structured
such that there are accounts and those accounts are controlled in some
way. The actual build slaves need to be monitored and probably
firewalled with the slave user accounts suitably locked down.
Cheers,
Richard
next prev parent reply other threads:[~2014-09-19 11:26 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-15 14:50 FW: [RFC] blacklisted variables Barros Pena, Belen
2014-09-18 11:22 ` Damian, Alexandru
2014-09-18 12:19 ` Barros Pena, Belen
2014-09-19 10:56 ` Damian, Alexandru
2014-09-19 11:26 ` Richard Purdie [this message]
2014-09-22 9:38 ` Damian, Alexandru
2014-09-23 16:45 ` Barros Pena, Belen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1411125990.4736.18.camel@ted \
--to=richard.purdie@linuxfoundation.org \
--cc=alexandru.damian@intel.com \
--cc=toaster@yoctoproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.