+1 to removing the suders rules we have, there adding overhead and contain enough wildcards that all they do is give people a false sense of security
On 23/07/13 17:39, Chris Jones wrote: > Hi > > On 23 July 2013 10:52, Robert Collins <[email protected] > <mailto:[email protected]>> wrote: > > So I'd like to change things to say: > - either run sudo disk-image-create or > > > This is probably the simplest option, but it does increase the amount of > code we're running with elevated privileges, which might be a concern, > but probably isn't, given the ratio of stuff that currently runs without > sudo, to the stuff that does. > I think we also need to do a little work to make this option functional, > a quick test just now suggests we are doing something wrong with > ELEMENTS_PATH at least. > > > - setup passwordless sudo or > > > Doesn't sound like a super awesome option to me, it places an ugly > security problem on anyone wanting to set this up anywhere, imo. this idea seems best to me, keeping passwordless sudo for a specific user (not all users as with the current method) and only running the parts of di-b that need privileges as root makes it less likely accidents will happen with buggy code. I don't think its any worse then the security implications of running di-b as root. > > > - don't run unattended. > > > I like being able to run a build while I read email or do some reviews, > so I do not like this option ;) > > I think if we make option 1 work, then option 2 is a viable option for > people who want it, they have a single command to allow in sudoers. > Option 3 essentially works in all scenarios :) > > FWIW I do quite like the implicit auditing of sudo commands that is > currently required to manually create the sudoers file, but I take your > point that it's probably unnecessary work at this point. > > Cheers, > > Chris > > > _______________________________________________ > OpenStack-dev mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > _______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
