[openstack-dev] [tripleo][tripleoclient] No more global sudo for "stack" on the undercloud

Cédric Jeanneret cjeanner at redhat.com
Wed Jun 6 04:23:48 UTC 2018 


On 06/05/2018 06:08 PM, Luke Hinds wrote:
> 
> 
> On Tue, Jun 5, 2018 at 3:44 PM, Cédric Jeanneret <cjeanner at redhat.com
> <mailto:cjeanner at redhat.com>> wrote:
> 
>     Hello guys!
> 
>     I'm currently working on python-tripleoclient in order to squash the
>     dreadful "NOPASSWD:ALL" allowed to the "stack" user.
> 
>     The start was an issue with the rights on some files being wrong (owner
>     by root instead of stack, in stack home). After some digging and poking,
>     it appears the undercloud deployment is called with a "sudo openstack
>     tripleo deploy" command - this, of course, creates some major issues
>     regarding both security and right management.
> 
>     I see a couple of ways to correct that bad situation:
>     - let the global "sudo" call, and play with setuid/setgid when we
>     actually don't need the root access (as it's mentioned in this comment¹)
> 
>     - drop that global sudo call, and replace all the necessary calls by
>     some "sudo" when needed. This involves the replacement of native python
>     code, like "os.mkdir" and the like.
> 
>     The first one isn't a solution - code maintenance will not be possible,
>     having to thing "darn, os.setuid() before calling that, because I don't
>     need root" is the current way, and it just doesn't apply.
> 
>     So I started the second one. It's, of course, longer, not really nice
>     and painful, but at least this will end to a good status, and not so bad
>     solution.
> 
>     This also meets the current work of the Security Squad about "limiting
>     sudo rights and accesses".
> 
>     For now I don't have a proper patch to show, but it will most probably
>     appear shortly, as a Work In Progress (I don't think it will be
>     mergeable before some time, due to all the constraints we have regarding
>     version portability, new sudoer integration and so on).
> 
>     I'll post the relevant review link as an answer of this thread when I
>     have something I can show.
> 
>     Cheers,
> 
>     C.
> 
> 
> Hi Cédric,

Hello Luke,

> 
> Pleased to hear you are willing to take this on.

Well, we have to ;).

> 
> It makes sense we should co-ordinate efforts here as I have been looking
> at the same item, but planned to start with heat-admin over on the
> overcloud.

yep, took part in some discussions already.

> 
> Due to the complexity / level of coverage in the use of sudo, it makes
> sense to have a spec where we can then get community consensus on the
> approach selected. This is important as it looks like we will need to
> have some sort of white list to maintain and make considerations around
> functional test coverage in CI (in case someone writes something new
> wrapped in sudo).

For now, I'm trying to see how's the extend at the code level itself.
This also helps me understanding the different things involved, and I
also make some archaeology in order to understand the current situation.

But indeed, we should push a spec/blueprint in order to get a good idea
of the task and open the discussion on a clear basis.

> 
> In regards to your suggested positions within python code such as the
> client, its worth looking at oslo.privsep [1] where a decorator can be
> used for when needing to setuid.

hmm yep, have to understand how to use it - its doc is.. well. kind of
sparse. Would be good to get examples.

> 
> Let's discuss this also in the squad meeting tomorrow and try to
> synergize approach for all tripleo nix accounts.

You can ping me on #tripleo - I go there by Tengu nick. I'm CET (so
yeah, already up'n'running ;)).

Cheers,

C.

> 
> [1] https://github.com/openstack/oslo.privsep
> 
> Cheers,
> 
> Luke
> 
> 
>     ¹
>     https://github.com/openstack/python-tripleoclient/blob/master/tripleoclient/v1/tripleo_deploy.py#L827-L829
>     <https://github.com/openstack/python-tripleoclient/blob/master/tripleoclient/v1/tripleo_deploy.py#L827-L829>
> 
> 
>     -- 
>     Cédric Jeanneret
>     Software Engineer
>     DFG:DF
> 
> 
>     __________________________________________________________________________
>     OpenStack Development Mailing List (not for usage questions)
>     Unsubscribe:
>     OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>     <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>     http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-de
>     <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>
> 
> 
> 
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 

-- 
Cédric Jeanneret
Software Engineer
DFG:DF

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180606/7f285770/attachment.sig>

More information about the OpenStack-dev mailing list