Yuriy Taraday wrote:
> We can do "#includedir /etc/nova/sudoers.d" from sudoers as well.
> I think, a solution with a separate conf/dir for rootwrap is a step
> back to sudo.
Except that sudo/sudoers does not allow argument filtering or more
complex filters, which is the main reason nova-rootwrap
We can do "#includedir /etc/nova/sudoers.d" from sudoers as well.
I think, a solution with a separate conf/dir for rootwrap is a step
back to sudo.
Kind regards, Yuriy.
On Wed, May 2, 2012 at 1:54 PM, Thierry Carrez wrote:
> Andrew Bogott wrote:
>> As part of the plugin framework, I'm think
Eric Windisch wrote:
> I'd really like to see this security mechanism overhauled. Rootwrap was
> an improvement over what was there before, however, I don't believe that
> rootwrap is a viable long-term solution as currently designed. Rootwrap
> has resulted in the use of potentially insecure shel
Andrew Bogott wrote:
> As part of the plugin framework, I'm thinking about facilities for
> adding commands to the nova-rootwrap list without directly editing the
> code in nova-rootwrap. This is, naturally, super dangerous; I'm worried
> that I'm going to open a security hole big enough to pa
These are all installation-specific. Devstack is the closest thing there is to
an official installer and that clearly doesn't do all the right things, from
the perspective of making it *easy* to work with and test, rather than making
it production-ready. I think most of the integrators are doin
On 4/30/12 2:35 AM, Vaze, Mandar wrote:
did the nova user /already/ have root access?
nova-rootwrap uses "sudo" to execute certain commands that require root access.
So yes, nova user already has root access via sudo. You can check /etc/sudoers
file.
It sounds like you are saying nova-rootwr
> did the nova user /already/ have root access?
nova-rootwrap uses "sudo" to execute certain commands that require root access.
So yes, nova user already has root access via sudo. You can check /etc/sudoers
file.
stack.sh script from devstack adds the entry in sudoers list for the user
runnin
As part of the plugin framework, I'm thinking about facilities for
adding commands to the nova-rootwrap list without directly editing the
code in nova-rootwrap. This is, naturally, super dangerous; I'm worried
that I'm going to open a security hole big enough to pass a herd of
elephants.
8 matches
Mail list logo
