Closed
Bug 939543
Opened 11 years ago
Closed 11 years ago
getcert.cgi should allow some host generate arbitrary certificates
Categories
(Infrastructure & Operations :: RelOps: Puppet, task)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: rail, Assigned: rail)
References
Details
Attachments
(3 files, 3 obsolete files)
4.44 KB,
patch
|
dustin
:
review+
rail
:
checked-in+
|
Details | Diff | Splinter Review |
1.10 KB,
patch
|
dustin
:
review+
rail
:
checked-in+
|
Details | Diff | Splinter Review |
2.30 KB,
patch
|
dustin
:
review+
rail
:
checked-in+
|
Details | Diff | Splinter Review |
To reduce load on getcert.cgi (which sometimes reuses to generate new certs du to the ssl lock timeouts) and eliminate (almost) possible merge conflicts when we revoke certificates for spot instances it would be great to allow *some* IPs to generate certs for other hosts and cache them for N days.
Assignee | ||
Comment 1•11 years ago
|
||
Maybe something like this? I haven't tested this at all.
Attachment #8334810 -
Flags: feedback?(dustin)
Comment 2•11 years ago
|
||
Comment on attachment 8334810 [details] [diff] [review] getcert.cgi Looks good.. I'd rather not skip DNS, though - can the manager provide IPs instead?
Attachment #8334810 -
Flags: feedback?(dustin) → feedback+
Updated•11 years ago
|
Assignee: relops → rail
Assignee | ||
Comment 3•11 years ago
|
||
--noop worked fine: Notice: /Stage[main]/Puppetmaster::Deploy/File[/var/lib/puppetmaster/deploy/cgi-bin/getcert.cgi]/content: --- /var/lib/puppetmaster/deploy/cgi-bin/getcert.cgi 2013-11-18 12:20:46.403406284 -0800 +++ /tmp/puppet-file20131125-24338-fl9g-0 2013-11-25 09:11:25.131406777 -0800 [skipped] +# IP addresses of machines allowed to generate arbitrary certificates +my @manager_ips = ( + qw/10.26.48.43/, + +); + @@ -52,6 +56,11 @@ +my $fqdn_regexps = [ + qr/mozilla\.com$/m, + +]; +
Attachment #8334810 -
Attachment is obsolete: true
Attachment #8337821 -
Flags: review?(dustin)
Comment 4•11 years ago
|
||
Comment on attachment 8337821 [details] [diff] [review] getcert.cgi Review of attachment 8337821 [details] [diff] [review]: ----------------------------------------------------------------- ::: modules/puppetmaster/templates/getcert.cgi.erb @@ +72,5 @@ > +if ($ENV{'QUERY_STRING'}){ > + # Explicit FQDN certificate request > + die "$ip is not allowed to generate certificates for other hosts" unless grep $_ eq $ip, @manager_ips; > + $host = $ENV{'QUERY_STRING'}; > + die "Hostname must use letters, digits, dots or dashes" unless $host =~ /^[a-z0-9.-]+$/i; Hm, this still gets the hostname from the query, rather than from DNS. The requirement that an attacker spoof DNS adds a little bit more difficulty, and also limits the inputs to getcert.sh to avoid any string-quoting or other vulnerabilities that may exist there. Is it problematic to use IPs here?
Attachment #8337821 -
Flags: review?(dustin) → review-
Assignee | ||
Comment 5•11 years ago
|
||
* added checks for requested hostnames * moved octet checks * simplified IP/FQDN checks
Attachment #8337821 -
Attachment is obsolete: true
Attachment #8337918 -
Flags: review?(dustin)
Comment 6•11 years ago
|
||
Comment on attachment 8337918 [details] [diff] [review] getcert.cgi Review of attachment 8337918 [details] [diff] [review]: ----------------------------------------------------------------- ::: modules/puppetmaster/templates/getcert.cgi.erb @@ +55,5 @@ > + die "$manager_ip is not allowed to generate certificates for other hosts" unless grep $_ eq $manager_ip, @$manager_ips; > + die "Hostname must use letters, digits, dots or dashes" unless $host =~ /^[a-z0-9.-]+$/i; > + $ip = inet_aton($host) or die "Cannot back resolve $host: $!"; > + $ip = inet_ntoa($ip); > + my $real_host = gethostbyaddr(inet_aton($ip), AF_INET) or die "cannot resolve $ip: $!"; This is odd -- the regexp allows lots of characters, but you then validate with `inet_aton` and back, and then forward again. Also, the error message for a failure in `inet_aton` is incorrect - that function doesn't do any kind of resolution. I think the better approach would be: die "$manager_ip is not allowed to generate certificates for other hosts" unless grep $_ eq $manager_ip, @$manager_ips; $ip = $ENV{'QUERY_STRING}; die "Other host must be specified by IP" unless $ip =~ /^\d+\.\d+\.\d+\.\d+$/i; inet_aton($host) or die "Invalid IP: $!"; and then move the "# convert to a hostname" bit out of the conditional.
Attachment #8337918 -
Flags: review?(dustin) → review-
Comment 7•11 years ago
|
||
A few more comments from my conversation with :tinfoil, leading up to a secreview for this change: - The security of the manager host will be important here, as it has a whole lot of power. What host is it, and what kind of security restrictions are in place there? - It would be ideal to require some extra authentication from the manager host, beyond the standard deploy password. Ideally, this would be a client SSL certificate, which the manager host should already have from puppet. The key would be getting Apache to validate that.
Assignee | ||
Comment 8•11 years ago
|
||
(In reply to Dustin J. Mitchell [:dustin] (I read my bugmail; don't needinfo me) from comment #7) > A few more comments from my conversation with :tinfoil, leading up to a > secreview for this change: > > - The security of the manager host will be important here, as it has a whole > lot of power. What host is it, and what kind of security restrictions are > in place there? ATM it's cruncher, but I'm planning to setup another VM(s) dedicated to AWS management only, with similar security we have on buildbot masters. > - It would be ideal to require some extra authentication from the manager > host, beyond the standard deploy password. Ideally, this would be a client > SSL certificate, which the manager host should already have from puppet. > The key would be getting Apache to validate that. Does this mean that getcert.cgi needs to check if the client is authenticated in case if we pass QUERY_STRING?
Comment 9•11 years ago
|
||
A dedicated host sounds like a good plan. And to your second question, yes. I'm not sure how best to accomplish that, though - it will involve some Apache config.
Flags: sec-review?
Assignee | ||
Comment 10•11 years ago
|
||
* use IP instead of FQDN for managed requests * use inet_aton to verify IPs
Attachment #8337918 -
Attachment is obsolete: true
Attachment #8338579 -
Flags: review?(dustin)
Updated•11 years ago
|
Attachment #8338579 -
Flags: review?(dustin) → review+
Assignee | ||
Comment 11•11 years ago
|
||
Comment on attachment 8338579 [details] [diff] [review] getcert.cgi https://hg.mozilla.org/build/puppet/rev/41ffa94c897b
Attachment #8338579 -
Flags: checked-in+
Assignee | ||
Comment 12•11 years ago
|
||
Comment on attachment 8338579 [details] [diff] [review] getcert.cgi Pushed to production: https://hg.mozilla.org/build/puppet/rev/abdef7a1719f
Assignee | ||
Comment 13•11 years ago
|
||
Comment on attachment 8338579 [details] [diff] [review] getcert.cgi Backed out for 2 reasons: 1) needs a secreview 2) issues in relabs (no manager_ips, etc set) remote: https://hg.mozilla.org/build/puppet/rev/a722787ded87 remote: https://hg.mozilla.org/build/puppet/rev/943cde65d26c
Attachment #8338579 -
Flags: checked-in+ → checked-in-
Updated•11 years ago
|
Flags: sec-review? → sec-review?(gdestuynder)
Flags: sec-review?(gdestuynder) → sec-review?(mhenry)
Updated•11 years ago
|
Severity: normal → major
Comment 14•11 years ago
|
||
Bumping priority per Taras' request.
Comment 15•11 years ago
|
||
Starting the sec-review at 12:00 PST today.
Comment 16•11 years ago
|
||
Just a status update I've cloned the repository and am looking at the puppetmaster module now, specifically the getcert.cgi.erb and related manifests
Comment 17•11 years ago
|
||
Finding 1: In modules/puppetmaster/manifests/deploy.pp change "${puppetmaster::settings::deploy_dir}/cgi-bin": ensure => directory; to change folder permissions to root:apache 0750 to ensure the folder is not writable by the apache process.
Assignee | ||
Comment 18•11 years ago
|
||
(In reply to Michael Henry [:tinfoil] from comment #17) > Finding 1: > > In modules/puppetmaster/manifests/deploy.pp change > "${puppetmaster::settings::deploy_dir}/cgi-bin": > ensure => directory; > > to change folder permissions to root:apache 0750 to ensure the folder is not > writable by the apache process. Thanks for the fast turn around! The patch should address this comment.
Attachment #8342708 -
Flags: review?(dustin)
Comment 19•11 years ago
|
||
Finding 2: I'd recommend making the cipher suites and ordering match our guidelines: https://wiki.mozilla.org/Security/Server_Side_TLS#Apache This isn't a requirement, but a recommendation. ----------- My one area for minor concern is perhaps filtering the hostname to ensure it's file-system safe. That can be done with proper regex supplied via puppet, or you can add it to the script for redundancy I didn't find any faults with getcert.cgi. It's deliberately kept simple. It's untrusted inputs are kept simple and filtered. The access restrictions on the script make sense.
Flags: sec-review?(mhenry) → sec-review+
Assignee | ||
Comment 20•11 years ago
|
||
Comment on attachment 8342708 [details] [diff] [review] safer permissions I'll integrate this into the final patch
Attachment #8342708 -
Flags: review?(dustin)
Assignee | ||
Comment 21•11 years ago
|
||
Thanks a lot for the review. (In reply to Michael Henry [:tinfoil] from comment #19) > My one area for minor concern is perhaps filtering the hostname to ensure > it's file-system safe. That can be done with proper regex supplied via > puppet, or you can add it to the script for redundancy Can you elaborate on this? The script has the following check: die "refused FQDN: $host" unless grep $host =~ /$_/, @$fqdn_regexps; ATM we check against /mozilla\.com/ regexp, but we can make it stricter.
Flags: needinfo?(mhenry)
Comment 22•11 years ago
|
||
Mostly I wasn't sure if DNS potentially allowed characters that might have unintended consequences when passed to an external program or passed into a file name. That being said, I took a look and it seems like it should be okay.
Flags: needinfo?(mhenry)
Updated•11 years ago
|
Attachment #8342708 -
Flags: review+
Assignee | ||
Comment 24•11 years ago
|
||
Comment on attachment 8338579 [details] [diff] [review] getcert.cgi https://hg.mozilla.org/build/puppet/rev/8e2d336ff8d5
Attachment #8338579 -
Flags: checked-in- → checked-in+
Assignee | ||
Comment 25•11 years ago
|
||
Comment on attachment 8342708 [details] [diff] [review] safer permissions https://hg.mozilla.org/build/puppet/rev/8e2d336ff8d5
Attachment #8342708 -
Flags: checked-in+
Assignee | ||
Comment 26•11 years ago
|
||
in production https://hg.mozilla.org/build/puppet/rev/7ab7d791de6e
Assignee | ||
Comment 27•11 years ago
|
||
Everything worked fine except the first line in the puppet-change emails: Creating certificate for tst-linux64-spot-116.test.releng.use1.mozilla.com from ip 10.134.56.50 It should mention the IP address of the machine generated it.
Attachment #8343510 -
Flags: review?(dustin)
Updated•11 years ago
|
Attachment #8343510 -
Flags: review?(dustin) → review+
Assignee | ||
Comment 28•11 years ago
|
||
Comment on attachment 8343510 [details] [diff] [review] gen.diff remote: https://hg.mozilla.org/build/puppet/rev/6324036b2e08 remote: https://hg.mozilla.org/build/puppet/rev/109e88f4f8df
Attachment #8343510 -
Flags: checked-in+
Assignee | ||
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•