Open Stack

Thomas Goirand wrote:
> Today, chatting in #debian-devel, Ansgar very well noticed that Cinder
> rootwrap has this in /etc/cinder/rootwrap.conf:
> 
> chown: CommandFilter, /bin/chown, root
> 
> What's the point of having rootwrap is we allow the use of chown? That's
> equivalent to running as root:
> 
> chown cinder /bin/bash
> 
> game over...
> 
> Nova has the same problem. There might be others (quantum?), I haven't
> dug so much...
> 
> It's dangerous if we are considering that we aren't root, when really,
> we do have all the root capabilities. I hope that nobody is seriously
> thinking about enforcing any kind of security policies this way.

That's a well-known issue (there is a bug opened about that, and I've
gone through this explanation quite a few times on the ML before). Yes,
the current rootwrap filters on nova compute nodes are too permissive
and don't isolate the nova user from the root user.

BUT that's just compute nodes. The filters for API nodes, for example,
don't allow crazy commands, and therefore using rootwrap there allows to
isolate the nova user from the root user efficiently. Scheduler nodes
don't have any filter enabled, so nova can't run anything as root. Same
for Cinder API nodes.

Rootwrap is a framework that lets you limit what the openstack user can
run as root. With permissive filters, it's as useless as the mechanism
it replaced (allow nova to run sudo). With strong filters, it's efficient.

That doesn't mean there is no issue with nova compute nodes, or cinder
volume nodes. Everywhere such a permissive command is used, a stronger
filter should be set up (RegExpFilter comes to mind). Or remove the need
for using "chown" altogether. This does not invalidate the need for
rootwrap. Like any framework, it's only good as the use you make of it.

Hope this clarifies (again).

-- 
Thierry Carrez (ttx)
Release Manager, OpenStack