[Bug 681774] Re: nova_sudoers is brittle, should use proper rootwrap
Thierry Carrez
thierry at openstack.org
Fri Jun 10 09:27:59 UTC 2011
There are, in fact, three issues.
1/ The current sudoers file is way too permissive. It gives access to so
many unrestricted commands that the nova user is as powerful as the root
user.
2/ The sudoers setup is a bit brittle because it assumes things about
your /etc/sudoers ("must include /etc/sudoers.d").
3/ Whenever a code change in nova introduces the need for a new "sudo"
command, the packages fail to introduce in parallel the needed change in
the sudoers file, mainly because those are two separate code bases with
two separate sets of developers working on it.
Options include:
* Strengthening the nova_sudoers file (precisely limiting options for every command) would address (1)
* Shipping the nova_sudoers in Nova code, or generating it automatically at package-build time, would address (3)
* Writing a specific command wrapper in Nova would address (1) and (3), but suffers of a bit NIH
Not sure what's the best way to care about (2), or if we should just
assume a sane sudoers.d support.
Another layer would be to ship apparmor profiles in Ubuntu packaging,
though we would encounter issue (3) again.
** Summary changed:
- nova_sudoers is brittle, should use proper rootwrap
+ nova_sudoers is brittle, often out of date, and too permissive
** Description changed:
- Using /etc/sudoers.d/nova_sudoers is a bit brittle. For example, it
- makes nova utterly fail if your /etc/sudoers is missing #includedir
- /etc/sudoers.d.
+ 1/ The current sudoers file is way too permissive. It gives access to so
+ many unrestricted commands that the nova user is as powerful as the root
+ user.
- It could be replaced by a proper root wrapper (like euca_rootwrap).
+ 2/ The sudoers setup is a bit brittle because it assumes things about
+ your /etc/sudoers ("must include /etc/sudoers.d").
+
+ 3/ Whenever a code change in nova introduces the need for a new "sudo"
+ command, the packages fail to introduce in parallel the needed change in
+ the sudoers file, mainly because those are two separate code bases with
+ two separate sets of developers working on it.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to nova in Ubuntu.
https://bugs.launchpad.net/bugs/681774
Title:
nova_sudoers is brittle, often out of date, and too permissive
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nova/+bug/681774/+subscriptions
More information about the Ubuntu-server-bugs
mailing list