)]}'
{"doc/source/index.rst":[{"author":{"_account_id":6928,"name":"Ben Nemec","email":"openstack@nemebean.com","username":"bnemec"},"change_message_id":"b70f71cd4337f21c92d862cebf3ba2aef08ea141","unresolved":false,"context_lines":[{"line_number":12,"context_line":""},{"line_number":13,"context_line":".. _principle of least privilege: https://en.wikipedia.org/wiki/\\"},{"line_number":14,"context_line":"                                  Principle_of_least_privilege"},{"line_number":15,"context_line":".. _specification: https://specs.openstack.org/openstack/\\"},{"line_number":16,"context_line":"                   oslo-specs/specs/liberty/privsep.html"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Contents"}],"source_content_type":"text/x-rst","patch_set":2,"id":"5fc1f717_603e5c2a","line":15,"updated":"2019-04-05 15:15:12.000000000","message":"For some reason this is 404\u0027ing in the rendered version. There\u0027s an extra space being inserted at the line break.\n\nThe wikipedia link works, but I think there must be some magic happening on their side because I see the space in the link target.","commit_id":"fe64ea981fa9300c5d13baff6d710db36fa6220d"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"8f422236aff33e542fbe7ee02fe8ae6a57cc692d","unresolved":false,"context_lines":[{"line_number":10,"context_line":"a good idea please read over the `principle of least privilege`_ and"},{"line_number":11,"context_line":"the `specification`_ which created this library."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":".. _principle of least privilege: https://en.wikipedia.org/wiki/\\"},{"line_number":14,"context_line":"                                  Principle_of_least_privilege"},{"line_number":15,"context_line":".. _specification: https://specs.openstack.org/openstack/\\"},{"line_number":16,"context_line":"                   oslo-specs/specs/liberty/privsep.html"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3fce034c_18d742c2","line":13,"updated":"2019-04-11 14:04:55.000000000","message":"whoops, lost the PS3 line merge here","commit_id":"9ff8a891818a54c99273ee6a94b60444f618a15e"}],"doc/source/user/index.rst":[{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"e6b7471093b5081fc6b673e0edd0e9f18b28365d","unresolved":false,"context_lines":[{"line_number":58,"context_line":"  import nova.privsep.motd"},{"line_number":59,"context_line":"  ..."},{"line_number":60,"context_line":""},{"line_number":61,"context_line":"  nova.privsep.motd(\u0027This node is currently idle\u0027)"},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"It is better to import the complete path (``import nova.privsep.motd``) rather"},{"line_number":64,"context_line":"than the motd name (``from nova.privsep import motd``) so that it is easier to"}],"source_content_type":"text/x-rst","patch_set":1,"id":"5fc1f717_685dfa13","line":61,"updated":"2019-04-04 14:01:25.000000000","message":".update_motd","commit_id":"740190c9ca1ae1a30193af68a2e286d08dcd58d1"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"e6b7471093b5081fc6b673e0edd0e9f18b28365d","unresolved":false,"context_lines":[{"line_number":89,"context_line":"above can be replaced with a function that calls ``os.chmod()``. However a"},{"line_number":90,"context_line":"straight 1:1 filter:function replacement generally results in functions that"},{"line_number":91,"context_line":"are still too broad for good security. It is better to replace each chmod"},{"line_number":92,"context_line":"rootwrap *call* by a narrow privsep function that will limit it to specific"},{"line_number":93,"context_line":"files."},{"line_number":94,"context_line":""},{"line_number":95,"context_line":"Sometimes it is necessary to refactor the calling code: the rootwrap design"}],"source_content_type":"text/x-rst","patch_set":1,"id":"5fc1f717_688bba67","line":92,"range":{"start_line":92,"start_character":16,"end_line":92,"end_character":18},"updated":"2019-04-04 14:01:25.000000000","message":"with","commit_id":"740190c9ca1ae1a30193af68a2e286d08dcd58d1"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"e6b7471093b5081fc6b673e0edd0e9f18b28365d","unresolved":false,"context_lines":[{"line_number":95,"context_line":"Sometimes it is necessary to refactor the calling code: the rootwrap design"},{"line_number":96,"context_line":"discouraged the creation of new filters and therefore often resulted in the"},{"line_number":97,"context_line":"creation of overly-broad calling functions."},{"line_number":98,"context_line":""},{"line_number":99,"context_line":"For more details, you can read the following blog post:"},{"line_number":100,"context_line":""},{"line_number":101,"context_line":"* `Adding oslo privsep to a new project, a worked example`_"}],"source_content_type":"text/x-rst","patch_set":1,"id":"5fc1f717_a8d68252","line":98,"updated":"2019-04-04 14:01:25.000000000","message":"could be cool to point to a patch as an example of how to convert rootwrap to privsep, e.g. one from this series: https://review.openstack.org/#/q/project:openstack/nova+branch:master+topic:my-own-personal-alternative-universe","commit_id":"740190c9ca1ae1a30193af68a2e286d08dcd58d1"},{"author":{"_account_id":9555,"name":"Matthew Booth","email":"mbooth@redhat.com","username":"MatthewBooth"},"change_message_id":"aa64e635b956bb383bcd81cb0df89445dee64a2c","unresolved":false,"context_lines":[{"line_number":45,"context_line":"          f.write(message)"},{"line_number":46,"context_line":""},{"line_number":47,"context_line":"Privileged functions should be as simple, specialized and narrow as possible."},{"line_number":48,"context_line":"For example, ``update_motd(message)`` is a lot better than"},{"line_number":49,"context_line":"``update_file(filename, content)`` which would allow any file on the system"},{"line_number":50,"context_line":"to be overwritten."},{"line_number":51,"context_line":""},{"line_number":52,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"5fc1f717_2d84b2d2","line":49,"range":{"start_line":48,"start_character":38,"end_line":49,"end_character":34},"updated":"2019-04-08 09:31:21.000000000","message":"I don\u0027t think this is strong enough, tbh. The issue here is that there mere existance of update_file(filename, content) entirely defeats the security of privsep: all the care you took everywhere else is rendered useless, even if nothing is actually calling it. Adding a function like update_file(filename, content) is adding a backdoor, except it\u0027s not hidden. This message needs to be very clearly and simply stated, with top billing.\n\nCould you add a \u0027reviewer\u0027s guide to privsep functions\u0027? I had in mind some nice clear bullet points. e.g.:\n\n  * A privsep function should not take a system resource (e.g. a path) as an argument.\n\n    A good way to make a program act maliciously is to have it perform an intended action on an unintended resource. For example, we might contrive to write to a sensitive system file by inserting a series of \u0027../../\u0027 to some unchecked input.\n\n    We can defend against this kind of attach systematically by never passing a path, or any other kind of system resource, to a privsep function, and instead having the privsep function calculate it itself: privsep loaded its own config. So, if we need to initialise the console log for an instance, instead instead of:\n\n    update_file(path, content):\n      with privileges, write content to path\n\n    we would have:\n\n    init_console_log(instance):\n      fetch instance directory from privsep\u0027s copy of config\n      work out the relative path of the console.log\n      with privileges, initialise the file\n\n    This function, if carefully written, does not allow a malicious caller to do anything except exactly what it was intended to do.","commit_id":"662bd04c55cb8aed323913fdc9b1bdab0ba2b079"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"0573424c134e0b5a8b00e49e4e1c2bddb6faa0bf","unresolved":false,"context_lines":[{"line_number":45,"context_line":"          f.write(message)"},{"line_number":46,"context_line":""},{"line_number":47,"context_line":"Privileged functions should be as simple, specialized and narrow as possible."},{"line_number":48,"context_line":"For example, ``update_motd(message)`` is a lot better than"},{"line_number":49,"context_line":"``update_file(filename, content)`` which would allow any file on the system"},{"line_number":50,"context_line":"to be overwritten."},{"line_number":51,"context_line":""},{"line_number":52,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"5fc1f717_43a1cfa8","line":49,"range":{"start_line":48,"start_character":38,"end_line":49,"end_character":34},"in_reply_to":"5fc1f717_2d84b2d2","updated":"2019-04-08 10:37:09.000000000","message":"Good stuff, Mr Booth. We don\u0027t have to write it all at once though, do we?\n\nI agree the wording here could be stronger, using words like \"should never\" instead of \"better than\".\n\nAnd then future efforts can link this to a masterfully crafted guide such as the one you suggest, authored by...","commit_id":"662bd04c55cb8aed323913fdc9b1bdab0ba2b079"},{"author":{"_account_id":308,"name":"Thierry Carrez","email":"thierry@openstack.org","username":"ttx"},"change_message_id":"889338d6323e102ba4dd4a4d2431279b58266f2e","unresolved":false,"context_lines":[{"line_number":45,"context_line":"          f.write(message)"},{"line_number":46,"context_line":""},{"line_number":47,"context_line":"Privileged functions should be as simple, specialized and narrow as possible."},{"line_number":48,"context_line":"For example, ``update_motd(message)`` is a lot better than"},{"line_number":49,"context_line":"``update_file(filename, content)`` which would allow any file on the system"},{"line_number":50,"context_line":"to be overwritten."},{"line_number":51,"context_line":""},{"line_number":52,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"3fce034c_3d7d506e","line":49,"range":{"start_line":48,"start_character":38,"end_line":49,"end_character":34},"in_reply_to":"5fc1f717_43a1cfa8","updated":"2019-04-11 12:31:52.000000000","message":"Yes that\u0027s fair. I\u0027ll rewrite that to make a much stronger statement and better explain what\u0027s at stake.\n\nFeel free to propose a more thorough guide as a followup patch :)","commit_id":"662bd04c55cb8aed323913fdc9b1bdab0ba2b079"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"8f422236aff33e542fbe7ee02fe8ae6a57cc692d","unresolved":false,"context_lines":[{"line_number":44,"context_line":"      with open(\u0027/etc/motd\u0027, \u0027w\u0027) as f:"},{"line_number":45,"context_line":"          f.write(message)"},{"line_number":46,"context_line":""},{"line_number":47,"context_line":"Privileged functions must be as simple, specialized and narrow as possible,"},{"line_number":48,"context_line":"so as to prevent further escalation. In this example, ``update_motd(message)``"},{"line_number":49,"context_line":"is narrow: it only allows the service to overwrite the MOTD file. If a more"},{"line_number":50,"context_line":"generic ``update_file(filename, content)`` was created, it could be used to"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3fce034c_98f4925d","line":47,"updated":"2019-04-11 14:04:55.000000000","message":"Nice","commit_id":"9ff8a891818a54c99273ee6a94b60444f618a15e"}]}