[openstack-dev] [tripleo] removing sudoers.d rules from disk-image-builder

Derek Higgins derekh at redhat.com
Thu Jul 25 13:20:36 UTC 2013

On 25/07/13 09:41, Chris Jones wrote:
> Hi
> On 24 July 2013 22:18, Derek Higgins <derekh at redhat.com
> <mailto:derekh at redhat.com>> wrote:
>>      - setup passwordless sudo or
>> Doesn't sound like a super awesome option to me, it places an ugly
>> security problem on anyone wanting to set this up anywhere, imo.
> I don't think its any worse then the security implications of running
> di-b as root.
> Assuming I interpreted this option correctly, we're talking about giving
> some user blanket passwordless sudo, which seems like the kind of
> requirement that no sane sysadmin is going to be interested in granting
> without some seriously onerous precautions to protect against abuse/exploit.
> What's the advantage here over simply fixing di-b to work when invoked
> with sudo?

yes, I am talking about giving a user blanket passwordless sudo, I don't
think any sane sysadmin would give any users ability to run di-b on a
Host that has any purposes other then to build imaes, so I am basically
saying that we should be using sudo inside di-b not as a security
measure but more as a measure to protect the Host machine against
problems with buggy code. Running di-b with sudo would remove any
protecting provided by the need to explicitly state when a command
requires root.

This all looks like we are taking our current setup with a sudoers file
and making it less secure but our current sudoers file lets me do all
kinds of things e.g.

[stack at fido derekh]$ sudo head -n 1 /etc/shadow
[sudo] password for stack:

[stack at fido derekh]$ echo "ALL ALL=(root) NOPASSWD: ALL" | sudo /bin/dd

[stack at fido derekh]$ sudo head -n 1 /etc/shadow

which only gives people an incorrect sense of security.


> -- 
> Cheers,
> Chris
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list