[Bug 1564812] Re: Disable sudo io logging for rootwrap

James Page james.page at ubuntu.com
Thu Jun 9 11:04:55 UTC 2016 

After some discussion on IRC, this problem occurs when log_input and
log_output are provided as modifications to the standard sudoers
configuration.

Its possible to exclude this default from certain users using:

Defaults:nova !log_input,!log_output

so I think this is a better solution for installations wishing to
provide full audit of user accounts use of sudo, but exclude sudo calls
from system accounts such as neutron and nova.

This can be applied either in sudoers.d (in a new file, not the package
provided one) or in /etc/sudoers itself.

I'm going to mark this bug as a Won't Fix - we should assume minimal
configuration defaults as part of the packaging, and let end-users
tailor their sudo configuration as required.

** Changed in: cinder (Ubuntu)
       Status: Triaged => Won't Fix

** Changed in: neutron (Ubuntu)
       Status: Triaged => Won't Fix

** Changed in: nova (Ubuntu)
       Status: Triaged => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to neutron in Ubuntu.
https://bugs.launchpad.net/bugs/1564812

Title:
  Disable sudo io logging for rootwrap

Status in cinder package in Ubuntu:
  Won't Fix
Status in neutron package in Ubuntu:
  Won't Fix
Status in nova package in Ubuntu:
  Won't Fix

Bug description:
  Cinder, Neutron and Nova use rootwrappers that allow selected commands
  to be executed with root privileges via sudo. If an adminstrator
  chooses to enable sudo logging for security reasons, this will cause a
  lot of files being created, leading to filled up file systems pretty
  fast. This could be circumvented by changing the entry in
  /etc/sudoers.d/cinder_sudoers like this:

  --- /etc/sudoers.d/cinder_sudoers       2016-03-30 11:20:28.000000000 +0000
  +++ /etc/sudoers.d/cinder_sudoers.new   2016-04-01 09:31:36.811807794 +0000
  @@ -1,3 +1,3 @@
   Defaults:cinder !requiretty
   
  -cinder ALL = (root) NOPASSWD: /usr/bin/cinder-rootwrap  /etc/cinder/rootwrap.conf *
  +cinder ALL = (root) NOPASSWD: NOLOG_INPUT: NOLOG_OUTPUT: /usr/bin/cinder-rootwrap  /etc/cinder/rootwrap.conf *

  and similarly for nova and neutron.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cinder/+bug/1564812/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list