More secure root wrapper
Nova needs root access for a number of actions, and currently does so through sudo. Each distribution needs to provide its own sudoers file in packaging, and sudoers offers suboptimal filtering of allowed actions, potentially providing a privilege escalation path.
This spec continues the work started in Diablo (refactoring the privilege escalation mechanism) by proposing a more secure root wrapper that allows:
* Precise filtering of arguments
* Drop privileges to a lower-privileged user
We'll aslo take this opportunity to review all uses of privilege escalation and get rid of unneeded ones, as well as separate commands into multiple filter profiles (by node type).
Blueprint information
- Status:
- Complete
- Approver:
- Vish Ishaya
- Priority:
- Medium
- Drafter:
- Thierry Carrez
- Direction:
- Approved
- Assignee:
- Thierry Carrez
- Definition:
- Approved
- Series goal:
- Accepted for essex
- Implementation:
-
Implemented
- Milestone target:
-
2012.1
- Started by
- Thierry Carrez
- Completed by
- Thierry Carrez
Related branches
Related bugs
| Bug #681774: nova_sudoers is brittle, often out of date, and too permissive | Fix Released |
Sprints
Whiteboard
Work items:
* Implement python-based filter
* Review all uses of sudo and get rid of unneeded ones
* Separate commands into multiple filter profiles (by node type)
Review of current sudo usage at: http://
Gerrit topic: https:/
Addressed by: https:/
A more secure root-wrapper alternative
Work Items
Dependency tree
* Blueprints in grey have been implemented.
