Noa Resare created CLOUDSTACK-967: ------------------------------------- Summary: security hazard: passwordless root sudo for cloud user Key: CLOUDSTACK-967 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-967 Project: CloudStack Issue Type: Improvement Security Level: Public (Anyone can view this level - this is the default.) Reporter: Noa Resare
When running the setup-cloud-management program, it installs a terrible entry in the file /etc/sudoers: cloud ALL =NOPASSWD : ALL To the uninitiated: this means that the user 'cloud' can become root without supplying a password via the sudo facility. This is obviously very, very bad from a security perspective. Any security vulnerability where an attacker (remote or local) can trick the cloudstack server component to execute arbitrary tasks immediately escalates into root access. Let's figure out what permissions cloudstack actually needs and fix this. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira