← Back to team overview

openstack team mailing list archive

extending rootwrap securely

 

As part of the plugin framework, I'm thinking about facilities for adding commands to the nova-rootwrap list without directly editing the code in nova-rootwrap. This is, naturally, super dangerous; I'm worried that I'm going to open a security hole big enough to pass a herd of elephants.

It doesn't help that I mostly know about devstack, and don't know a whole lot about the variety of ways that Nova is installed on actual production systems. So, my questions:

a) Is the nova code on a production system generally owned by root and read-only? (If the answer to this one is ever 'no' then we're done, because we're already 100% insecure.)

b) Does nova usually run as root user? (Again, thinking 'no' because otherwise we wouldn't need a rootwrap tool in the first place.)

c) Who generally has rights to modify nova.conf and/or add command-line args to the nova launch? (I want the answer to this to be 'just root' but I fear the answer is 'both root and the nova user.')

The crux: If additional commands can be added to rootwrap via nova.conf or the commandline, does that open security holes that aren't already open? Such a facility will give root to anyone who can modify the nova.conf or the nova commandline. So, if the nova user can modify the commandline, the question is: did the nova user /already/ have root access?




Follow ups