[Bug 1564812] [NEW] Disable sudo io logging for rootwrap

Dr. Jens Rosenboom j.rosenboom at x-ion.de
Fri Apr 1 09:33:33 UTC 2016 

Public bug reported:

Cinder, Neutron and Nova use rootwrappers that allow selected commands
to be executed with root privileges via sudo. If an adminstrator chooses
to enable sudo logging for security reasons, this will cause a lot of
files being created, leading to filled up file systems pretty fast. This
could be circumvented by changing the entry in
/etc/sudoers.d/cinder_sudoers like this:

--- /etc/sudoers.d/cinder_sudoers       2016-03-30 11:20:28.000000000 +0000
+++ /etc/sudoers.d/cinder_sudoers.new   2016-04-01 09:31:36.811807794 +0000
@@ -1,3 +1,3 @@
 Defaults:cinder !requiretty
 
-cinder ALL = (root) NOPASSWD: /usr/bin/cinder-rootwrap  /etc/cinder/rootwrap.conf *
+cinder ALL = (root) NOPASSWD: NOLOG_INPUT: NOLOG_OUTPUT: /usr/bin/cinder-rootwrap  /etc/cinder/rootwrap.conf *

and similarly for nova and neutron.

** Affects: cinder (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: neutron (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: nova (Ubuntu)
     Importance: Undecided
         Status: New

** Also affects: nova (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: neutron (Ubuntu)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to cinder in Ubuntu.
https://bugs.launchpad.net/bugs/1564812

Title:
  Disable sudo io logging for rootwrap

Status in cinder package in Ubuntu:
  New
Status in neutron package in Ubuntu:
  New
Status in nova package in Ubuntu:
  New

Bug description:
  Cinder, Neutron and Nova use rootwrappers that allow selected commands
  to be executed with root privileges via sudo. If an adminstrator
  chooses to enable sudo logging for security reasons, this will cause a
  lot of files being created, leading to filled up file systems pretty
  fast. This could be circumvented by changing the entry in
  /etc/sudoers.d/cinder_sudoers like this:

  --- /etc/sudoers.d/cinder_sudoers       2016-03-30 11:20:28.000000000 +0000
  +++ /etc/sudoers.d/cinder_sudoers.new   2016-04-01 09:31:36.811807794 +0000
  @@ -1,3 +1,3 @@
   Defaults:cinder !requiretty
   
  -cinder ALL = (root) NOPASSWD: /usr/bin/cinder-rootwrap  /etc/cinder/rootwrap.conf *
  +cinder ALL = (root) NOPASSWD: NOLOG_INPUT: NOLOG_OUTPUT: /usr/bin/cinder-rootwrap  /etc/cinder/rootwrap.conf *

  and similarly for nova and neutron.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cinder/+bug/1564812/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list