[openstack-dev] Any use for rootwrap?
Thomas Goirand
zigo at debian.org
Mon Feb 4 17:07:26 UTC 2013
On 02/04/2013 11:54 PM, Thierry Carrez wrote:
> Thomas Goirand wrote:
>> Today, chatting in #debian-devel, Ansgar very well noticed that Cinder
>> rootwrap has this in /etc/cinder/rootwrap.conf:
>>
>> chown: CommandFilter, /bin/chown, root
>>
>> What's the point of having rootwrap is we allow the use of chown? That's
>> equivalent to running as root:
>>
>> chown cinder /bin/bash
>>
>> game over...
>>
>> Nova has the same problem. There might be others (quantum?), I haven't
>> dug so much...
>>
>> It's dangerous if we are considering that we aren't root, when really,
>> we do have all the root capabilities. I hope that nobody is seriously
>> thinking about enforcing any kind of security policies this way.
>
> That's a well-known issue (there is a bug opened about that, and I've
> gone through this explanation quite a few times on the ML before
I'm sorry. I can't read absolutely all... I probably should have search
the archive :(
As I wrote, I just needed an answer to give to the Debian FTP master
person who told me about this, and I'm really thankful that you were
prompt to help.
Cheers,
Thomas
More information about the OpenStack-dev
mailing list