[openstack-dev] [tripleo] Limiting sudo coverage of heat-admin / stack and other users.

Luke Hinds lhinds at redhat.com
Mon May 21 13:49:43 UTC 2018


A few operators have requested if its possible to limit sudo's coverage on
both the under / overcloud. There is concern over `ALL=(ALL) NOPASSWD:ALL`
, which allows someone to  `sudo su`.

This task has come under the care of the tripleo security squad.

The work is being tracked and discussed here [0].

So far it looks like the approach will be to use regexp within
/etc/sudoers.d/*., to narrow down as close as possible to the specific
commands called. Some services already do this with rootwrap:

ironic ALL = (root) NOPASSWD: /usr/bin/ironic-rootwrap
/etc/ironic/rootwrap.conf *

It's fairly easy to pick up a list of all sudo calls using a simple script
[1]

The other prolific user of sudo is ansible / stack, for example:

/bin/sh -c echo BECOME-SUCCESS-kldpbeueyodisjajjqthpafzadrncdff;
/usr/bin/python
/home/stack/.ansible/tmp/ansible-tmp-1526579105.0-109863952786117/systemd.py;
rm -rf "/home/stack/.ansible/tmp/ansible-tmp-1526579105.0-109863952786117/"
> /dev/null 2>&1

My feelings here are to again use regexp around the immutable non random
parts of the command.  cjeanner also made some suggestions in the etherpad
[0].

However aside to the approach, we need to consider the impact locking down
might have should someone create a develop a new bit of code that leverages
commands wrapped in sudo and assumes ALL with be in place. This of course
will be blocked.

Now my guess is that our CI would capture this as the deploy would fail(?)
and the developer should work out an entry is needed when testing their
patch, but wanted to open this up to others who know testing at gate better
much better than myself.  Also encourage any thoughts on the topic to be
introduced to the etherpad [0]

[0] https://etherpad.openstack.org/p/tripleo-heat-admin-security
[1] https://gist.github.com/lukehinds/4cdb1bf4de526a049c51f05698b8b04f

-- 
Luke Hinds
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180521/ccbfa371/attachment.html>


More information about the OpenStack-dev mailing list