Noa Resare created CLOUDSTACK-967:
-------------------------------------
Summary: security hazard: passwordless root sudo for cloud user
Key: CLOUDSTACK-967
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-967
Project: CloudStack
Issue Type: Improvement
Security Level: Public (Anyone can view this level - this is the default.)
Reporter: Noa Resare
When running the setup-cloud-management program, it installs a terrible entry
in the file /etc/sudoers:
cloud ALL =NOPASSWD : ALL
To the uninitiated: this means that the user 'cloud' can become root without
supplying a password via the sudo facility.
This is obviously very, very bad from a security perspective. Any security
vulnerability where an attacker (remote or local) can trick the cloudstack
server component to execute arbitrary tasks immediately escalates into root
access.
Let's figure out what permissions cloudstack actually needs and fix this.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
