[openstack-dev] [tripleo][tripleoclient] No more global sudo for "stack" on the undercloud

Cédric Jeanneret cjeanner at redhat.com
Tue Jun 5 14:44:03 UTC 2018


Hello guys!

I'm currently working on python-tripleoclient in order to squash the
dreadful "NOPASSWD:ALL" allowed to the "stack" user.

The start was an issue with the rights on some files being wrong (owner
by root instead of stack, in stack home). After some digging and poking,
it appears the undercloud deployment is called with a "sudo openstack
tripleo deploy" command - this, of course, creates some major issues
regarding both security and right management.

I see a couple of ways to correct that bad situation:
- let the global "sudo" call, and play with setuid/setgid when we
actually don't need the root access (as it's mentioned in this comment¹)

- drop that global sudo call, and replace all the necessary calls by
some "sudo" when needed. This involves the replacement of native python
code, like "os.mkdir" and the like.

The first one isn't a solution - code maintenance will not be possible,
having to thing "darn, os.setuid() before calling that, because I don't
need root" is the current way, and it just doesn't apply.

So I started the second one. It's, of course, longer, not really nice
and painful, but at least this will end to a good status, and not so bad
solution.

This also meets the current work of the Security Squad about "limiting
sudo rights and accesses".

For now I don't have a proper patch to show, but it will most probably
appear shortly, as a Work In Progress (I don't think it will be
mergeable before some time, due to all the constraints we have regarding
version portability, new sudoer integration and so on).

I'll post the relevant review link as an answer of this thread when I
have something I can show.

Cheers,

C.


¹
https://github.com/openstack/python-tripleoclient/blob/master/tripleoclient/v1/tripleo_deploy.py#L827-L829


-- 
Cédric Jeanneret
Software Engineer
DFG:DF

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180605/84d8738c/attachment.sig>


More information about the OpenStack-dev mailing list