[openstack-dev] [tripleo][tripleoclient] No more global sudo for "stack" on the undercloud

Luke Hinds lhinds at redhat.com
Tue Jun 5 16:08:20 UTC 2018


On Tue, Jun 5, 2018 at 3:44 PM, Cédric Jeanneret <cjeanner at redhat.com>
wrote:

> Hello guys!
>
> I'm currently working on python-tripleoclient in order to squash the
> dreadful "NOPASSWD:ALL" allowed to the "stack" user.
>
> The start was an issue with the rights on some files being wrong (owner
> by root instead of stack, in stack home). After some digging and poking,
> it appears the undercloud deployment is called with a "sudo openstack
> tripleo deploy" command - this, of course, creates some major issues
> regarding both security and right management.
>
> I see a couple of ways to correct that bad situation:
> - let the global "sudo" call, and play with setuid/setgid when we
> actually don't need the root access (as it's mentioned in this comment¹)
>
> - drop that global sudo call, and replace all the necessary calls by
> some "sudo" when needed. This involves the replacement of native python
> code, like "os.mkdir" and the like.
>
> The first one isn't a solution - code maintenance will not be possible,
> having to thing "darn, os.setuid() before calling that, because I don't
> need root" is the current way, and it just doesn't apply.
>
> So I started the second one. It's, of course, longer, not really nice
> and painful, but at least this will end to a good status, and not so bad
> solution.
>
> This also meets the current work of the Security Squad about "limiting
> sudo rights and accesses".
>
> For now I don't have a proper patch to show, but it will most probably
> appear shortly, as a Work In Progress (I don't think it will be
> mergeable before some time, due to all the constraints we have regarding
> version portability, new sudoer integration and so on).
>
> I'll post the relevant review link as an answer of this thread when I
> have something I can show.
>
> Cheers,
>
> C.
>
>
Hi Cédric,

Pleased to hear you are willing to take this on.

It makes sense we should co-ordinate efforts here as I have been looking at
the same item, but planned to start with heat-admin over on the overcloud.

Due to the complexity / level of coverage in the use of sudo, it makes
sense to have a spec where we can then get community consensus on the
approach selected. This is important as it looks like we will need to have
some sort of white list to maintain and make considerations around
functional test coverage in CI (in case someone writes something new
wrapped in sudo).

In regards to your suggested positions within python code such as the
client, its worth looking at oslo.privsep [1] where a decorator can be used
for when needing to setuid.

Let's discuss this also in the squad meeting tomorrow and try to synergize
approach for all tripleo nix accounts.

[1] https://github.com/openstack/oslo.privsep

Cheers,

Luke


> ¹
> https://github.com/openstack/python-tripleoclient/blob/
> master/tripleoclient/v1/tripleo_deploy.py#L827-L829
>
>
> --
> Cédric Jeanneret
> Software Engineer
> DFG:DF
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-de
> <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180605/5971cab9/attachment.html>


More information about the OpenStack-dev mailing list