Packer: Make "owners" field of source_ami_filter required: RFC
HashiCorp's security team pointed out an interesting potential exploit where if you request an amazon AMI via a source_ami_filter, but don't have "owner" selected, you can accidentally use a malicious base image instead of one from your own organization or a trusted vendor.
The impact of making the "owner" field required would be low for the users (I strongly suspect that a majority of people using the filter already define the owner field) but could save users from making a potentially dangerous mistake. I think we should have Packer fail during validation with an error that says this field must be designated; if we decide that there is a valid use case where people may not want to have to set this field, we could potentially allow an opt out like setting "owner" to "any" but honestly I can't think of a situation where this really makes a great deal of sense.
I'm going to slate this for v1.3.0 but I'd like to hear community thoughts.
SwampDragons
All 10 comments
👍 to this, absolutely.
I encountered exactly this bug last week, ended up with a Monero miner instead of a vanilla Ubuntu AMI when the owner filter was missed.
007
on 14 Aug 2018
@007 Can you shoot me an email? I have a couple of questions about your experience with this issue.
SwampDragons
on 15 Aug 2018
Done
007
on 15 Aug 2018
@SwampDragons I can't upgrade to Packer 1.3.0 because of this change. Essentially we use the same JSON Packer definitions for production AWS account as development AWS account, and only have to modify the profile to toggle between production and development AWS credentials.
The problem is the owners field id now is different as well for production and development AWS accounts. Can you provide a solution to this? Is there an abstraction I am missing? Thanks.
nodesocket
on 12 Sep 2018
@nodesocket the "owners" field is a list, so I believe you should be able to simply provide both possible "owner" IDs and have the filter still work for both. Then no matter which (prod or dev) owner owns the AMI, you should be able to find one.
SwampDragons
on 12 Sep 2018
Ahh, didn't realize owners take a list. That worked. Thanks!
nodesocket
on 12 Sep 2018
Awesome! Super glad it isn't a blocker.
SwampDragons
on 12 Sep 2018
You can also use self.
We should probably add some more info in the docs. From the AWS docs:
Filters the images by the owner. Specify an AWS account ID, self (owner is the sender of the request), or an AWS owner alias (valid values are amazon | aws-marketplace | microsoft ). Omitting this option returns all images for which you have launch permissions, regardless of ownership
https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-images.html
rickard-von-essen
on 12 Sep 2018
Good point. I've opened a PR updating docs: https://github.com/hashicorp/packer/pull/6694
SwampDragons
on 12 Sep 2018
I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 30 Mar 2020
Related issues
paulcdejean
·
3Comments
wduncanfraser
·
3Comments
Nikoos
·
3Comments
mvermaes
·
3Comments
mwhooker
·
3Comments