On 06/05/2018 06:08 PM, Luke Hinds wrote: > > > On Tue, Jun 5, 2018 at 3:44 PM, Cédric Jeanneret <cjean...@redhat.com > <mailto:cjean...@redhat.com>> wrote: > > Hello guys! > > I'm currently working on python-tripleoclient in order to squash the > dreadful "NOPASSWD:ALL" allowed to the "stack" user. > > The start was an issue with the rights on some files being wrong (owner > by root instead of stack, in stack home). After some digging and poking, > it appears the undercloud deployment is called with a "sudo openstack > tripleo deploy" command - this, of course, creates some major issues > regarding both security and right management. > > I see a couple of ways to correct that bad situation: > - let the global "sudo" call, and play with setuid/setgid when we > actually don't need the root access (as it's mentioned in this comment¹) > > - drop that global sudo call, and replace all the necessary calls by > some "sudo" when needed. This involves the replacement of native python > code, like "os.mkdir" and the like. > > The first one isn't a solution - code maintenance will not be possible, > having to thing "darn, os.setuid() before calling that, because I don't > need root" is the current way, and it just doesn't apply. > > So I started the second one. It's, of course, longer, not really nice > and painful, but at least this will end to a good status, and not so bad > solution. > > This also meets the current work of the Security Squad about "limiting > sudo rights and accesses". > > For now I don't have a proper patch to show, but it will most probably > appear shortly, as a Work In Progress (I don't think it will be > mergeable before some time, due to all the constraints we have regarding > version portability, new sudoer integration and so on). > > I'll post the relevant review link as an answer of this thread when I > have something I can show. > > Cheers, > > C. > > > Hi Cédric,
Hello Luke, > > Pleased to hear you are willing to take this on. Well, we have to ;). > > It makes sense we should co-ordinate efforts here as I have been looking > at the same item, but planned to start with heat-admin over on the > overcloud. yep, took part in some discussions already. > > Due to the complexity / level of coverage in the use of sudo, it makes > sense to have a spec where we can then get community consensus on the > approach selected. This is important as it looks like we will need to > have some sort of white list to maintain and make considerations around > functional test coverage in CI (in case someone writes something new > wrapped in sudo). For now, I'm trying to see how's the extend at the code level itself. This also helps me understanding the different things involved, and I also make some archaeology in order to understand the current situation. But indeed, we should push a spec/blueprint in order to get a good idea of the task and open the discussion on a clear basis. > > In regards to your suggested positions within python code such as the > client, its worth looking at oslo.privsep [1] where a decorator can be > used for when needing to setuid. hmm yep, have to understand how to use it - its doc is.. well. kind of sparse. Would be good to get examples. > > Let's discuss this also in the squad meeting tomorrow and try to > synergize approach for all tripleo nix accounts. You can ping me on #tripleo - I go there by Tengu nick. I'm CET (so yeah, already up'n'running ;)). Cheers, C. > > [1] https://github.com/openstack/oslo.privsep > > Cheers, > > Luke > > > ¹ > > https://github.com/openstack/python-tripleoclient/blob/master/tripleoclient/v1/tripleo_deploy.py#L827-L829 > > <https://github.com/openstack/python-tripleoclient/blob/master/tripleoclient/v1/tripleo_deploy.py#L827-L829> > > > -- > Cédric Jeanneret > Software Engineer > DFG:DF > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: > openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > <http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-de > <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev> > > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -- Cédric Jeanneret Software Engineer DFG:DF
signature.asc
Description: OpenPGP digital signature
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev