[openstack-dev] [tripleo] removing sudoers.d rules from disk-image-builder

Derek Higgins derekh at redhat.com
Thu Jul 25 13:20:36 UTC 2013


On 25/07/13 09:41, Chris Jones wrote:
> Hi
> 
> On 24 July 2013 22:18, Derek Higgins <derekh at redhat.com
> <mailto:derekh at redhat.com>> wrote:
>>      - setup passwordless sudo or
>> Doesn't sound like a super awesome option to me, it places an ugly
>> security problem on anyone wanting to set this up anywhere, imo.
> 
> I don't think its any worse then the security implications of running
> di-b as root.
> 
> Assuming I interpreted this option correctly, we're talking about giving
> some user blanket passwordless sudo, which seems like the kind of
> requirement that no sane sysadmin is going to be interested in granting
> without some seriously onerous precautions to protect against abuse/exploit.
> 
> What's the advantage here over simply fixing di-b to work when invoked
> with sudo?

yes, I am talking about giving a user blanket passwordless sudo, I don't
think any sane sysadmin would give any users ability to run di-b on a
Host that has any purposes other then to build imaes, so I am basically
saying that we should be using sudo inside di-b not as a security
measure but more as a measure to protect the Host machine against
problems with buggy code. Running di-b with sudo would remove any
protecting provided by the need to explicitly state when a command
requires root.

This all looks like we are taking our current setup with a sudoers file
and making it less secure but our current sudoers file lets me do all
kinds of things e.g.

[stack at fido derekh]$ sudo head -n 1 /etc/shadow
[sudo] password for stack:

[stack at fido derekh]$ echo "ALL ALL=(root) NOPASSWD: ALL" | sudo /bin/dd
of=/tmp/image.JZH7Krvy/mnt/../../../etc/sudoers.d/letmedoanything

[stack at fido derekh]$ sudo head -n 1 /etc/shadow
root:$6$<snip/>:15827:0:99999:7:::

which only gives people an incorrect sense of security.

Thanks,
Derek.

> 
> 
> -- 
> Cheers,
> 
> Chris
> 
> 
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 




More information about the OpenStack-dev mailing list