Project

General

Profile

Actions
Copy link

Feature #3312

closed

ceph-deploy: pushy uses pickle, that's a security problem

Added by Anonymous over 11 years ago. Updated over 10 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
ceph-deploy
Target version:
-
% Done:

0%

Source:
Tags:
Backport:
Reviewed:
Affected Versions:
Pull request ID:

Description

That means "ceph-deploy osd myhost:sdb" could allow myhost to attack the admin workstation. Deserializing pickles from an untrusted source is dangerous: http://docs.python.org/library/pickle

Either refactor pushy to use a more limited protocol (e.g. JSON objects over SSH?), or port ceph-deploy away from pushy.

The idea of "execute this python function remotely over ssh" is very useful, and teuthology could benefit from it also; don't just go back to "run this unix command remotely".

Actions
Copy link
 #1

Updated by Anonymous over 11 years ago

  • Subject changed from ceph-deploy: pushy uses pickle, that's a security problenm to ceph-deploy: pushy uses pickle, that's a security problem
  • Description updated (diff)
Actions
Copy link
 #2

Updated by Sage Weil about 11 years ago

  • Category set to ceph-deploy
Actions
Copy link
 #3

Updated by Neil Levine about 11 years ago

  • Status changed from New to 12
Actions
Copy link
 #4

Updated by Alfredo Deza over 10 years ago

  • Status changed from 12 to Resolved

We no longer use Pushy.

Actions
Copy link

Also available in: Atom PDF