[openstack-dev] Any use for rootwrap?
Thomas Goirand
zigo at debian.org
Mon Feb 4 15:03:36 UTC 2013
Hi,
Today, chatting in #debian-devel, Ansgar very well noticed that Cinder
rootwrap has this in /etc/cinder/rootwrap.conf:
chown: CommandFilter, /bin/chown, root
What's the point of having rootwrap is we allow the use of chown? That's
equivalent to running as root:
chown cinder /bin/bash
game over...
Nova has the same problem. There might be others (quantum?), I haven't
dug so much...
It's dangerous if we are considering that we aren't root, when really,
we do have all the root capabilities. I hope that nobody is seriously
thinking about enforcing any kind of security policies this way.
Comments anyone?
Thomas
More information about the OpenStack-dev
mailing list