User ownership for namespace is getting changed to a different user

Not only have the namespaces changed, but some namespaces/roles/… now seem to have been transferred to other users. For example, the elan.opencast_user is the old name. But it now seems to belong to someone else:

This is also severe security risk since people can easily take over and execute a supply chain attack using this with users unknowingly/unexpectedly installing different code.

1 Like

@lkiesow sorry you experienced this. can you check again? We believe we resolved all cases of this yesterday.

1 Like

The problem persists. Installing roles may still install foreign code.
For example, installing elan.opencast_user tries to get the code from the GitHub user elan.
That means that user could easily have malicious code deployed for everyone using that role.

❯ ansible-galaxy install elan.opencast_user
Starting galaxy role install process
- downloading role 'opencast_user', owned by elan
- downloading role from https://github.com/elan/opencast_user/archive/master.tar.gz
 [ERROR]: failed to download the file: HTTP Error 404: Not Found

That’s a huge security risk.

You will also find this in the Ansible Galaxy NG user interface:

The elan in this screenshot is another GitHub user which has (maybe unknowingly) taken over the namespace.

Thank you for the additional info and checking. I understand now this is different than the other issue we were seeing. Also agreed this is serious and something we want to fix ASAP. I’ll update once we have.

Just a heads up that we will probably move these messages to a separate thread to keep track of the separate issues.

@jlmitch5, any update to this? The issue still seems to exist. The elan roles are still linked to the GitHub user elan:


https://galaxy.ansible.com/ui/standalone/namespaces/8850/

It’s a serious problem which now exists for over a month.

There are some important distinctions to be made here …

  1. Roles in the “elan” namespace are linked to the “elan” provider namespace, which is owned by two users currently ikiesow&tibroc …
    elan legacy namespace
    elan provider namespace

  2. The installs were fixed a few days ago by patches we rolled out to production and some scripted cleanup on duplicate roles …

[jtanner@p1 tmp]$ rm -rf ~/.ansible /tmp/roles ; ansible-galaxy install -p roles elan.opencast_user
Starting galaxy role install process
- downloading role 'opencast_user', owned by elan
- downloading role from https://github.com/elan-ev/opencast_user/archive/main.tar.gz
- extracting elan.opencast_user to /tmp/roles/elan.opencast_user
- elan.opencast_user (main) was installed successfully
  1. The “elan” namespaces are not in fact pointing at elan (Elan Feingold) · GitHub nor are they owned by that github user. The problem is a bug in the galaxy backend that assembles the avatar url in a very naive way…

serializer

        return {
            'dependencies': dependencies,
            'namespace': {
                'id': obj.namespace.id,
                'name': obj.namespace.name,
                'avatar_url': f'https://github.com/{obj.namespace.name}.png'
            },
            'provider_namespace': provider_ns,
            'repository': repository,
            'tags': tags,
            'versions': versions
        }

That url needs to come from the provider namespace’s metadata instead …

[jtanner@p1 tmp]$ curl -s -L http://galaxy.ansible.com/api/v3/namespaces/?name=elan | jq .data[].avatar_url
"https://avatars.githubusercontent.com/u/1064602?s=200&v=4"

I’ll work on a patch to fix that.

  1. Having roles on galaxy with a namespace that match some other github user’s name is always going to be confusing to end users. What would be helpful is if all the elan.* roles were renamed to elan-ev to better match the real github source. Is that something you’ve considered?