openstack team mailing list archive

Thread
Date

[Nova] Review of new run_as_root commands

To: "openstack@xxxxxxxxxxxxxxxxxxx" <openstack@xxxxxxxxxxxxxxxxxxx>
From: Thierry Carrez <thierry@xxxxxxxxxxxxx>
Date: Tue, 28 Feb 2012 18:07:31 +0100
Organization: OpenStack
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20120224 Thunderbird/11.0

Nova-core reviewers,

When you review code that introduces new utils.execute run_as_root
commands, please apply extra care to avoid removing the thin layer of
root/nova privilege separation we managed to introduce in Nova, or
breaking people running with nova-rootwrap.

* Any new run_as_root command should include a new nova.rootwrap filter
to match (generic or specific)

* Commands opening up too many possibilities should add a specific filter

* Make sure that command actually needs to run as root and can't be
replaced by a more specific or restrictive command

Examples:

Bad: https://github.com/openstack/nova/commit/1463839f
"cp" and "rm" added without any matching rootwrap filter

DoublePlusGood: https://github.com/openstack/nova/commit/65e23313
"cat" being added with specific filters to only allow it to touch
specific files

NB: There were about 5 commands added to master without filters -- I
will file bugs and add code so that nova-rootwrap works with those.

-- 
Thierry Carrez (ttx)
Release Manager, OpenStack