Hello guys! I'm currently working on python-tripleoclient in order to squash the dreadful "NOPASSWD:ALL" allowed to the "stack" user.
The start was an issue with the rights on some files being wrong (owner by root instead of stack, in stack home). After some digging and poking, it appears the undercloud deployment is called with a "sudo openstack tripleo deploy" command - this, of course, creates some major issues regarding both security and right management. I see a couple of ways to correct that bad situation: - let the global "sudo" call, and play with setuid/setgid when we actually don't need the root access (as it's mentioned in this comment¹) - drop that global sudo call, and replace all the necessary calls by some "sudo" when needed. This involves the replacement of native python code, like "os.mkdir" and the like. The first one isn't a solution - code maintenance will not be possible, having to thing "darn, os.setuid() before calling that, because I don't need root" is the current way, and it just doesn't apply. So I started the second one. It's, of course, longer, not really nice and painful, but at least this will end to a good status, and not so bad solution. This also meets the current work of the Security Squad about "limiting sudo rights and accesses". For now I don't have a proper patch to show, but it will most probably appear shortly, as a Work In Progress (I don't think it will be mergeable before some time, due to all the constraints we have regarding version portability, new sudoer integration and so on). I'll post the relevant review link as an answer of this thread when I have something I can show. Cheers, C. ¹ https://github.com/openstack/python-tripleoclient/blob/master/tripleoclient/v1/tripleo_deploy.py#L827-L829 -- Cédric Jeanneret Software Engineer DFG:DF
signature.asc
Description: OpenPGP digital signature
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
