[openstack-dev] [neutron][rootwrap] Performance considerations, sudo?

Thierry Carrez thierry at openstack.org
Fri Mar 21 13:39:38 UTC 2014


Sean Dague wrote:
> Sounds great. One of the things I hope happens with this is a look at
> some place rootwrap is used with such an open policy, that it's
> completely moot. For instance the nova-cpu policy includes tee & dd with
> no arg limitting (which has been that way forever from my look in git
> annotate)
> 
> Which is basically game over.

n-cpu is not the only component where the use of rootwrap doesn't
actually provide additional security... I'll leave as an exercise to the
reader to find the other ones :)

> So in the nova-cpu case I really think we should remove rootwrap as it's
> got to do so many things as root that being a limitted user really isn't
> an option.

The original idea was to have the framework in place to address those
issues: notice abusive commands in filter definitions, and either find a
way to filter them in an efficient way (the way we addressed the kill
calls for example), or adapt the code so that it doesn't need such
commands (like, say, removing file injection altogether).

The trick is, despite multiple sessions on the subject (one at every
summit since the dawn of time) this big review/fix effort hasn't
magically happened :) In some cases we even regressed (re-addition of
blind 'cat' CommandFilter while we have a specific ReadFileFilter).

I still think we are in a better starting place forcing those calls
through inefficient rootwrap rules -- at least we know which those calls
are and we have the framework ready to help in further restricting them
(RegExpFilter anyone ?). But the issue is the current rootwrap gives a
false sense of security. People just add filter rules for their commands
and call their security work done. It's *not* done. It's a continuing
process to make sure you don't have insecure rules, improve them or
rewrite the code so that it doesn't need them. Most CommandFilter rules
can be abused, and they still represent something like 95% of the
filters :) I'm not sure how to better communicate that rootwrap is not
the end, it's just the beginning.

As a final note, the best solution is not "better rootwrap filters". the
best solution is solid design that doesn't require running anything as
root. So components without run_as_root calls should really stay that
way. And components with a couple of rootwrap rules should seriously
look into removing the need for them.

Cheers,

-- 
Thierry Carrez (ttx)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140321/fa799cec/attachment.pgp>


More information about the OpenStack-dev mailing list