New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add developer accessible backdoor to VM tests infrastructure. #47418

Merged
merged 1 commit into from Sep 28, 2018

Conversation

@domenkozar
Member

domenkozar commented Sep 27, 2018

Thanks to @dezgeg for prototype implementation, I've
cleaned it up and added documentation.

I admit it's not clear to me if console access via $TMPDIR is considered a security issue, on a builder running multiple tests, I'd expect this could be considered an adversary.

@domenkozar

This comment has been minimized.

Show comment
Hide comment
@domenkozar

domenkozar Sep 27, 2018

Member

@nlewo @dezgeg I've removed redundant SSH, let me know what you think.

Member

domenkozar commented Sep 27, 2018

@nlewo @dezgeg I've removed redundant SSH, let me know what you think.

Add ssh backdoor to VM tests infrastructure.
Thanks to @dezgeg for prototype implementation, I've
cleaned it up and added documentation.

@domenkozar domenkozar changed the title from Add ssh backdoor to VM tests infrastructure. to Add developer accessible backdoor to VM tests infrastructure. Sep 27, 2018

@roberth

This comment has been minimized.

Show comment
Hide comment
@roberth

roberth Sep 27, 2018

Contributor

👍

I'd expect the temporary directory to have sufficiently restrictive permissions anyway. That's a problem that Nix should already solve. An adversary will have just as hard a time attacking a backdoored test as he would attacking a non-backdoored test.

Some potential improvements:

A similar backdoor to the perl script could be added, to provide access to library functions on machines and to relay the vm backdoors.

Also the tester could print the backdoor instructions, although it won't be able to point the user to the right path because of that one security measure to prevent dangerous accidental /tmp references in built packages, or do we have an obscure impure environment variable with that info?

Contributor

roberth commented Sep 27, 2018

👍

I'd expect the temporary directory to have sufficiently restrictive permissions anyway. That's a problem that Nix should already solve. An adversary will have just as hard a time attacking a backdoored test as he would attacking a non-backdoored test.

Some potential improvements:

A similar backdoor to the perl script could be added, to provide access to library functions on machines and to relay the vm backdoors.

Also the tester could print the backdoor instructions, although it won't be able to point the user to the right path because of that one security measure to prevent dangerous accidental /tmp references in built packages, or do we have an obscure impure environment variable with that info?

@domenkozar

This comment has been minimized.

Show comment
Hide comment
@domenkozar

domenkozar Sep 27, 2018

Member

A similar backdoor to the perl script could be added, to provide access to library functions on machines and to relay the vm backdoors.

Sounds good to me - anyone should feel free to contribute that, my motivation was to have a system that works and is documented. Hopefully that sparkles simplification :)

Also the tester could print the backdoor instructions, although it won't be able to point the user to the right path because of that one security measure to prevent dangerous accidental /tmp references in built packages, or do we have an obscure impure environment variable with that info?

Shouldn't be an issue to echo $TMPDIR to logs. My willpower to do more test debugging is very low, as I was deep into it in last days, can we also consider this an improvement yet to be done? :)

Member

domenkozar commented Sep 27, 2018

A similar backdoor to the perl script could be added, to provide access to library functions on machines and to relay the vm backdoors.

Sounds good to me - anyone should feel free to contribute that, my motivation was to have a system that works and is documented. Hopefully that sparkles simplification :)

Also the tester could print the backdoor instructions, although it won't be able to point the user to the right path because of that one security measure to prevent dangerous accidental /tmp references in built packages, or do we have an obscure impure environment variable with that info?

Shouldn't be an issue to echo $TMPDIR to logs. My willpower to do more test debugging is very low, as I was deep into it in last days, can we also consider this an improvement yet to be done? :)

@roberth

This comment has been minimized.

Show comment
Hide comment
@roberth

roberth Sep 27, 2018

Contributor

Iirc, $TMPDIR is /build/..... in the sandbox, which is backed by /tmp/..... on the host.
This is a great addition. I won't let perfect get in the way of better.

Contributor

roberth commented Sep 27, 2018

Iirc, $TMPDIR is /build/..... in the sandbox, which is backed by /tmp/..... on the host.
This is a great addition. I won't let perfect get in the way of better.

@aszlig

This comment has been minimized.

Show comment
Hide comment
@aszlig

aszlig Sep 28, 2018

Member

Hm... what if we add a .debug attribute to the result of makeTest that turns the whole thing into a fixed output derivation (where we have networking) with a dummy hash, allowing to connect directly via SPICE for example?

Member

aszlig commented Sep 28, 2018

Hm... what if we add a .debug attribute to the result of makeTest that turns the whole thing into a fixed output derivation (where we have networking) with a dummy hash, allowing to connect directly via SPICE for example?

@roberth

This comment has been minimized.

Show comment
Hide comment
@roberth

roberth Sep 28, 2018

Contributor

@aszlig That's also an interesting approach. What do you think of the PR as is?

Contributor

roberth commented Sep 28, 2018

@aszlig That's also an interesting approach. What do you think of the PR as is?

@domenkozar

This comment has been minimized.

Show comment
Hide comment
@domenkozar

domenkozar Sep 28, 2018

Member

I'm merging this by discarding my concern about backdoor being a security issue given that shell is also placed into the temp directory - which is then used by testing infrastructure.

I know this is far from perfect, but I've managed to debug my test failures easily - so it does the job. Any improvements are welcome to be done on top of this work.

Going to backport to 18.09 as well.

Member

domenkozar commented Sep 28, 2018

I'm merging this by discarding my concern about backdoor being a security issue given that shell is also placed into the temp directory - which is then used by testing infrastructure.

I know this is far from perfect, but I've managed to debug my test failures easily - so it does the job. Any improvements are welcome to be done on top of this work.

Going to backport to 18.09 as well.

@domenkozar domenkozar merged commit d6e3db4 into master Sep 28, 2018

8 checks passed

grahamcofborg-eval ^.^!
Details
grahamcofborg-eval-check-meta config.nix: checkMeta = true
Details
grahamcofborg-eval-nixos-manual nix-instantiate ./nixos/release.nix -A manual
Details
grahamcofborg-eval-nixos-options nix-instantiate ./nixos/release.nix -A options
Details
grahamcofborg-eval-nixpkgs-manual nix-instantiate ./pkgs/top-level/release.nix -A manual
Details
grahamcofborg-eval-nixpkgs-tarball nix-instantiate ./pkgs/top-level/release.nix -A tarball
Details
grahamcofborg-eval-nixpkgs-unstable-jobset nix-instantiate ./pkgs/top-level/release.nix -A unstable
Details
grahamcofborg-eval-package-list nix-env -qa --json --file .
Details

@Mic92 Mic92 deleted the nixos-tests-debug branch Oct 3, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment