OpenStack Orchestration (Heat) CFN Tools
Go to file
Anant Patil e424af2236 Fix cfntools command injection
The CommandRunner used to run commands using su command and passing the
actual command to be run as argument to it.

su USER -c <cmd>

This is susceptible to command line injection as noted in the bug.

The fix required to do two things:

1. Pass the command to be run as list instead of a string. This is to
ensure that the actual arguments are passed as arguments to the program
ought to be executed. And by doing so, avoids running any commands
passed in the argument. On the contrary, if the command were passed as a
string to the shell, the arguments could be formed in a way to execute
malicious commands.

2. The CommandRunner runs the command directly and uses setuid to lower
the privileges if needed. If the 'runas' user is other than root, then
its UID is obtained and setuid is invoked to set the real user-id and
effective user-id to the given user.

Change-Id: I654117e994fd38411508dbe9b85d06c28dc0e411
Closes-Bug: #1312246
2015-08-31 15:58:04 +05:30
bin Merge "Fix typos in cfn scripts" 2015-06-09 02:40:36 +00:00
doc cfn-hup manpage fix s/deamon/daemon typo 2013-10-02 08:10:33 +01:00
heat_cfntools Fix cfntools command injection 2015-08-31 15:58:04 +05:30
tools Rename requires files to standard names 2013-05-16 09:33:00 -07:00
.gitignore Fix test cases not running under python 2.6 2013-06-27 18:04:04 +08:00
.gitreview Add tox, pep8, pyflakes, testr support 2013-03-07 12:28:29 +13:00
.testr.conf Use testr to run the unit tests. 2013-02-21 11:13:43 +13:00
CONTRIBUTING.rst Workflow documentation is now in infra-manual 2014-12-05 03:30:36 +00:00
LICENSE Initial commit (basics copied from glance) 2012-03-13 21:48:07 +11:00
MANIFEST.in Include ChangeLog and AUTHORS 2013-05-30 17:17:41 +02:00
README.rst README changes to make release_notes.py happy 2015-05-12 10:50:52 +12:00
requirements.txt Python 3 compatibility 2015-02-21 11:17:53 +01:00
setup.cfg Support building wheels (PEP-427) 2014-02-07 11:31:58 +01:00
setup.py Manually sync requirements 2014-04-15 12:49:05 +12:00
test-requirements.txt Ported tests from mox3 to mock to support Python >= 3.3 2015-02-22 22:19:20 +01:00
tox.ini Python 3 compatibility 2015-02-21 11:17:53 +01:00

README.rst

Heat CloudFormation Tools

There are several bootstrap methods for cloudformations:

  1. Create image with application ready to go
  2. Use cloud-init to run a startup script passed as userdata to the nova server create
  3. Use the CloudFormation instance helper scripts

This package contains files required for choice #3.

cfn-init - Reads the AWS::CloudFormation::Init for the instance resource,

installs packages, and starts services

cfn-signal - Waits for an application to be ready before continuing, ie:

supporting the WaitCondition feature

cfn-hup - Handle updates from the UpdateStack CloudFormation API call