Ubuntu
cobbler package

a some what odd configuration in cobbler.wsgi

Bug #858875 reported by David
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Cobbler
New
Unknown
cobbler (Ubuntu)
Fix Released
High
Unassigned

Bug Description

I find it rather odd that in /usr/share/cobbler/web/ cobbler.wsgi
the following is set -->
os.environ['PYTHON_EGG_CACHE'] = '/tmp'

which probably isn't a good idea, however I am not exactly sure on the impact of it (at this point). It seems that the PYTHON_EGG_CACHE is the location where any eggs that cobbler might use would be unpacked. As cobblerd runs as root, if a local user (I haven't verified this, it just seems easier to fix this bug...) it might be possible for them to place their own python modules (which would be read as they are from the 'cache') and gain root privileges.

Note: I installed cobbler as a result of installing ubuntu-orchestra. (cobbler version: 2.1.0+git20110602-0ubuntu25).

Related branches

lp:~clint-fewbar/ubuntu/oneiric/cobbler/misc-fixes
Chuck Short: Pending requested
Andres Rodriguez: Pending requested
Diff: 164 lines (+56/-5)
11 files modified
.pc/58_fix_egg_cache.patch/web/cobbler.wsgi (+10/-0)
.pc/applied-patches (+1/-0)
debian/changelog (+16/-0)
debian/cobbler-common.install (+0/-1)
debian/cobbler-web.dirs (+1/-0)
debian/cobbler-web.postinst (+3/-0)
debian/cobbler.postinst (+1/-0)
debian/control (+3/-3)
debian/patches/58_fix_egg_cache.patch (+19/-0)
debian/patches/series (+1/-0)
web/cobbler.wsgi (+1/-1)
lp:ubuntu/precise/cobbler
lp:ubuntu/oneiric-proposed/cobbler
David (d--)
visibility: private → public
Serge Hallyn (serge-hallyn)
Changed in cobbler (Ubuntu):
importance: Undecided → High
Clint Byrum (clint-fewbar)
Changed in cobbler (Ubuntu):
status: New → Triaged
Revision history for this message
Clint Byrum (clint-fewbar) wrote :

http://code.google.com/p/modwsgi/wiki/ApplicationIssues

"Note that you should refrain from ever using directories or files which have been made writable to anyone as this could compromise security. Also be aware that if hosting multiple applications under the same web server, they will all run as the same user and so it will be possible for each to both see and modify each others files. If this is an issue, you should host the applications on different web servers running as different users or on different systems. Alternatively, any data required or updated by the application should be hosted in a database with separate accounts for each application."

This file comes from upstream, so I forwarded the bug there as well.

Bug Watch Updater (bug-watch-updater)
Changed in cobbler:
status: Unknown → New
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cobbler - 2.2.2-0ubuntu1

---------------
cobbler (2.2.2-0ubuntu1) precise; urgency=low

  [Chuck Short]
  * New upstream release:
    + Use dh_python2 everywhere.
    + Folded debian/patches/49_ubuntu_add_arm_arch_support.patch
      and debian/patches/56_ubuntu_arm_generate_pxe_files.patch
      into one patch for easier upstreaming.
    + Dropped debian/patches/50_fix_cobbler_timezone.patch:
      Fix upstream.
    + Dropped debian/patches/47_ubuntu_add_oneiric_codename.patch
      in favor of debian/patches/47_ubuntu_add_codenames.patch:
      It adds "precise" and drops unsupported releases as well.
    + Dropped debian/patches/41_update_tree_path_with_arch.patch:
      No longer needed.
    + Dropped debian/patches/55_ubuntu_branding.patch: Will be moved
      to orchestra

   [Clint Byrum]
   * debian/cobbler.postinst: create users.digest mode 0600 so it
     is not world readable. (LP: #858860)
   * debian/control: cobbler needs to depend on python-cobbler
     (LP: #863738)
   * debian/patches/58_fix_egg_cache.patch: Do not point dangerous
     PYTHON_EGG_CACHE at world writable directory. (LP: #858875)
   * debian/cobbler-common.install: remove users.digest as it is
     not required and contains a known password that would leave
     cobblerd vulnerable if started before configuration is done
   * debian/cobbler-web.postinst: fix perms on webui_sessions to
     be more secure (LP: #863755)

   [Robie Basak]
   * Backport safe YAML load from upstream. (LP: #858883)
 -- Chuck Short <email address hidden> Tue, 15 Nov 2011 12:35:40 -0500

Changed in cobbler (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.