openstack team mailing list archive

Thread
Date

Re: extending rootwrap securely

To: "andrewbogott@xxxxxxxxx" <andrewbogott@xxxxxxxxx>, "openstack@xxxxxxxxxxxxxxxxxxx" <openstack@xxxxxxxxxxxxxxxxxxx>
From: "Vaze, Mandar" <Mandar.Vaze@xxxxxxxxxxx>
Date: Mon, 30 Apr 2012 07:35:08 +0000
Accept-language: en-US
In-reply-to: <4F9DD194.3060001@gmail.com>
Thread-index: AQHNJmKb8lCu3aTrwUeMOiB4GnFNV5ay+F0Q
Thread-topic: [Openstack] extending rootwrap securely

>  did the nova user /already/ have root access?

nova-rootwrap uses "sudo" to execute certain commands that require root access.
So yes, nova user already has root access via sudo. You can check /etc/sudoers file.

stack.sh script from devstack  adds the entry in sudoers list for the user running stack.sh

Although stack.sh allows "full root access" to nova user, sudoers allows restricting the access to specific commands. (man sudoers)
This can help alleviate your security concerns a little by allowing only certain commands to be executed by nova-user.
(This might also restrict what the plugin can/can not do - but at least it would be secure)

-Mandar


______________________________________________________________________
Disclaimer:This email and any attachments are sent in strictest confidence for the sole use of the addressee and may contain legally privileged, confidential, and proprietary data.  If you are not the intended recipient, please advise the sender by replying promptly to this email and then delete and destroy this email and any attachments without any further use, copying or forwarding

Follow ups

Re: extending rootwrap securely
From: Andrew Bogott, 2012-04-30

References

extending rootwrap securely
From: Andrew Bogott, 2012-04-29