[openstack-dev] [tripleo] removing sudoers.d rules from disk-image-builder
Derek Higgins
derekh at redhat.com
Wed Jul 24 21:18:24 UTC 2013
+1 to removing the suders rules we have, there adding overhead and
contain enough wildcards that all they do is give people a false sense
of security
On 23/07/13 17:39, Chris Jones wrote:
> Hi
>
> On 23 July 2013 10:52, Robert Collins <robertc at robertcollins.net
> <mailto:robertc at robertcollins.net>> wrote:
>
> So I'd like to change things to say:
> - either run sudo disk-image-create or
>
>
> This is probably the simplest option, but it does increase the amount of
> code we're running with elevated privileges, which might be a concern,
> but probably isn't, given the ratio of stuff that currently runs without
> sudo, to the stuff that does.
> I think we also need to do a little work to make this option functional,
> a quick test just now suggests we are doing something wrong with
> ELEMENTS_PATH at least.
>
>
> - setup passwordless sudo or
>
>
> Doesn't sound like a super awesome option to me, it places an ugly
> security problem on anyone wanting to set this up anywhere, imo.
this idea seems best to me, keeping passwordless sudo for a specific
user (not all users as with the current method) and only running the
parts of di-b that need privileges as root makes it less likely
accidents will happen with buggy code.
I don't think its any worse then the security implications of running
di-b as root.
>
>
> - don't run unattended.
>
>
> I like being able to run a build while I read email or do some reviews,
> so I do not like this option ;)
>
> I think if we make option 1 work, then option 2 is a viable option for
> people who want it, they have a single command to allow in sudoers.
> Option 3 essentially works in all scenarios :)
>
> FWIW I do quite like the implicit auditing of sudo commands that is
> currently required to manually create the sudoers file, but I take your
> point that it's probably unnecessary work at this point.
>
> Cheers,
>
> Chris
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
More information about the OpenStack-dev
mailing list