All users of Cobbler who are using the web interface and have granted access to users who do /not/ already have local root access to the Cobbler server should upgrade to 1.2.8 and apply the following fix:
http://git.fedorahosted.org/git/?p=cobbler;a=commitdiff;h=cc3dd9828e02f1693d...
=====
Background:
Cheetah templates, which Cobbler uses to build kickstarts, can execute Python code, which is normally a /very/ useful thing. We rely on this some in Cobbler to do simple things like translate timestamps to the local time zone. We have had this capable in /every/ version of Cobbler.
This becomes a problem if you have granted access to a user through Cobbler Web who you trust with your datacenter but you do /not/ trust with your Cobbler server's root access.
Details:
However it is can be a problem when a web user edits a kickstart template through the webapp because then they could write code that could run what they wanted to run. One such example would be adding a kickstart that imported subprocess and then called code to give them a user account on the cobbler box that they didn't already have.
A trivial example:
#import $subprocess subprocess.call("/sbin/service squid restart",shell=True)
A solution to this (included in the patch linked above) is to restrict what type of "#import" commands we allow and fail if any Cheetah code attempts to import something. Rather than blacklisting (which would be weak), we're whitelisting -- only enabling packages we know to be safe.
I've added some code to whitelist ones that should be allowed and are useful. Currently I only have two allowed in the devel branch -- time, and random. Cobbler only uses time currently. (If anyone else has any templates they want to keep working that "#import" another module, please let me know what it is.)
Note -- If you do /not/ trust the users using your Cobbler web instance you need to evaluate whether they deserve web access at all -- you are already giving them access to decide exactly what they put on every machine in your datacenter and are letting them reinstall machines when they choose. The problem with this however is that with the above, it's possible for web users to run commands as root on the cobbler server.
If you are feeling this is a serious issue, you can disable the XMLRPC read write interface entirely.
vi /etc/cobbler/modules.conf change the authentication mode to "authn_denyall" /sbin/service cobblerd restart
The web app will now be disabled. OR... you can upgrade to the code currently on the devel branch.
You could also modify the authz_ownership module to allow only certain users to edit kickstart files.
I will be rolling out a Cobbler 1.2.9 to the builders that will contain /only/ this fix on top of 1.2.8.
This vulnerability has been in Cobbler as long as kickstarts have been editable in the web app, I would appreciate your continued vigilance to possible exploit scenarios such as this -- and if you are using Cobbler Web with more than one user account, please disable Cobbler Web until you have applied the above patch.
--Michael
cobbler@lists.fedorahosted.org