[Bug 1564812] Re: Disable sudo io logging for rootwrap
James Page
james.page at ubuntu.com
Thu Jun 9 11:04:55 UTC 2016
After some discussion on IRC, this problem occurs when log_input and
log_output are provided as modifications to the standard sudoers
configuration.
Its possible to exclude this default from certain users using:
Defaults:nova !log_input,!log_output
so I think this is a better solution for installations wishing to
provide full audit of user accounts use of sudo, but exclude sudo calls
from system accounts such as neutron and nova.
This can be applied either in sudoers.d (in a new file, not the package
provided one) or in /etc/sudoers itself.
I'm going to mark this bug as a Won't Fix - we should assume minimal
configuration defaults as part of the packaging, and let end-users
tailor their sudo configuration as required.
** Changed in: cinder (Ubuntu)
Status: Triaged => Won't Fix
** Changed in: neutron (Ubuntu)
Status: Triaged => Won't Fix
** Changed in: nova (Ubuntu)
Status: Triaged => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to neutron in Ubuntu.
https://bugs.launchpad.net/bugs/1564812
Title:
Disable sudo io logging for rootwrap
Status in cinder package in Ubuntu:
Won't Fix
Status in neutron package in Ubuntu:
Won't Fix
Status in nova package in Ubuntu:
Won't Fix
Bug description:
Cinder, Neutron and Nova use rootwrappers that allow selected commands
to be executed with root privileges via sudo. If an adminstrator
chooses to enable sudo logging for security reasons, this will cause a
lot of files being created, leading to filled up file systems pretty
fast. This could be circumvented by changing the entry in
/etc/sudoers.d/cinder_sudoers like this:
--- /etc/sudoers.d/cinder_sudoers 2016-03-30 11:20:28.000000000 +0000
+++ /etc/sudoers.d/cinder_sudoers.new 2016-04-01 09:31:36.811807794 +0000
@@ -1,3 +1,3 @@
Defaults:cinder !requiretty
-cinder ALL = (root) NOPASSWD: /usr/bin/cinder-rootwrap /etc/cinder/rootwrap.conf *
+cinder ALL = (root) NOPASSWD: NOLOG_INPUT: NOLOG_OUTPUT: /usr/bin/cinder-rootwrap /etc/cinder/rootwrap.conf *
and similarly for nova and neutron.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cinder/+bug/1564812/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list