[openstack-dev] [tripleo] removing sudoers.d rules from disk-image-builder
Robert Collins
robertc at robertcollins.net
Tue Jul 23 09:52:11 UTC 2013
We have a bunch of sudo rules in disk-image-builder. They are there
primarily so we could have passwordless sudo on jenkins boxes, but
working with the infra team now, it looks like we'd run on
devstack-gate nodes, not on jenkins directly, so they aren't needed
for that.
They don't add appreciable security for end users as they are
trivially bypassed with link attacks.
And for distributors they are not something you want to install from a package.
The only thing the *do* do is permit long running builds to run
unattended by users with out reprompting for sudo; but this isn't an
issue for most users, as we download the bulk of data before hitting
the first sudo call.
So I'd like to change things to say:
- either run sudo disk-image-create or
- setup passwordless sudo or
- don't run unattended.
and delete the sudoers.d rules as being a distraction, one we no longer need.
Opinions?
-Rob
--
Robert Collins <rbtcollins at hp.com>
Distinguished Technologist
HP Cloud Services
More information about the OpenStack-dev
mailing list