[Bug 1763830] Re: [MIR] gce-compute-image-packages

Seth Arnold 1763830 at bugs.launchpad.net
Thu Jun 7 02:35:31 UTC 2018 

I reviewed gce-compute-image-packages version 20180129+dfsg1-0ubuntu3 as
checked into bionic. This is not a full security audit but rather a quick
gauge of maintainability.

I didn't see any CVEs in our database.

- gce-compute-image-packages provides utilities and integration useful on
  Google's cloud hosting platform, including new account creation,
  centralized account management, granting blanket sudo rules, ssh keys,
  and a variety of other configuration tools.

- Build-Depends: cmake, debhelper, dh-python, dh-systemd,
  libcurl4-openssl-dev, libgtest-dev, libjson-c-dev, libpam-dev,
  python-all, python-setuptools, python3-all, python3-setuptools,
  python-pytest, python3-pytest, python-mock, python-boto, python3-boto

- Several daemons started via systemd, do not themselves daemonize

- pre/post inst/rm scripts are automatically generated code, except for a
  piece that will stop services before removing them

- No initscripts; systemd unit files to start:
  - accounts daemon
  - clock skew daemon
  - instance setup
  - ip forwarding daemon
  - network setup
  - shutdown scripts
  - startup scripts
- No dbus services
- No setuid
- Adds several binaries to PATH:
  - google_accounts_daemon
  - google_clock_skew_daemon
  - google_instance_setup
  - google_ip_forwarding_daemon
  - google_metadata_script_runner
  - google_network_setup
  - optimize_local_ssd
  - set_multiqueue
  - google_authorized_keys
  - google_oslogin_control
- No sudo fragments in the static packaging -- adds new sudo entries at
  runtime, however
- udev rules to add some device nodes, permissions, set storage parameters
- Small-ish test suite run during the build, this is a hard thing to test
  in isolation but hopefully this is helpful

- Some subprocesses are spawned, via string-based execution tools;
  sometimes with only the authentication server's checks for username
  validity to ensure shell metachars aren't included in inputs. Ideally
  these would perform checks for shell metachars directly.

- memory management looked careful
- Files are written to -- including sudoers files -- and if the umask of
  the process isn't correct, it might allow a race condition for local
  attacks.
- No environment variable use
- Privileged functions looked careful, with exception of writing sudoers
  files
- No cryptography
- No privileged portions of code
- No temporary files
- Does not use WebKit
- Does not use PolicyKit
- Clean cppcheck

- pam_sm_acct_mgmt() functions rely upon the correct behaviour of a remote
  web service to prevent local security problems with usernames that
  include e.g. ../../.. substrings.

- pam_sm_acct_mgmt() in pam_oslogin_admin.cc creates a sudoers file before
  setting appropriate permissions; if C++ doesn't have a mechanism to
  expose open(2)'s modes, then it would be best to set the umask() to
  something restrictive before this open() call.

- Is /lib/libnss_google-compute-engine-oslogin-1.1.4.so the right path for
  libraries?

Security team ACK for promoting gce-compute-image-packages to main.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gce-compute-image-packages in
Ubuntu.
https://bugs.launchpad.net/bugs/1763830

Title:
  [MIR] gce-compute-image-packages

Status in gce-compute-image-packages package in Ubuntu:
  New

Bug description:
  [Availability]
  gce-compute-image-packages is in universe and only depends on packages provided in main or by the sourcepackage itself. It has been in the archive since Yakkety. The package builds for all architectures.

  [Rationale]
  This package is included on the GCE images and the Ubuntu Foundations team has been supporting it as such. We'd like to get it included in main as that's the right thing to do.

  [Security]

  [Quality assurance]
  There are currently 0 open bug reports (excluding this one) about the package and the Ubuntu Foundations team (foundations-bugs) is subscribed to bugs about the package.

  [Dependencies]
  All binary dependencies are from main or come from the source package itself.

  [Standards compliance]

  [Maintenance]
  The Ubuntu Foundations team will continue to maintain the package as they have been doing.

  [Background information]

  Description: GCE's compute-image-packages for use in their guest environment
   This is a collection of scripts that are used on Google Compute Engine images to ensure compatibility with the cloud, as well as to enable features specific to the cloud.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gce-compute-image-packages/+bug/1763830/+subscriptions

More information about the foundations-bugs mailing list