[Openstack] extending rootwrap securely
Andrew Bogott
abogott at wikimedia.org
Mon Apr 30 14:39:33 UTC 2012
On 4/30/12 2:35 AM, Vaze, Mandar wrote:
>> did the nova user /already/ have root access?
> nova-rootwrap uses "sudo" to execute certain commands that require root access.
> So yes, nova user already has root access via sudo. You can check /etc/sudoers file.
>
It sounds like you are saying nova-rootwrap calls sudo. That's the
opposite of my understanding; my sudoers file has an entry that permits
running nova-rootwrap /as/ root. That makes me think that we're only
relying on sudo to the extent that it permits the running of rootwrap as
root, and after that we're depending entirely on rootwrap to limit
command access.
Am I missing something?
More information about the Openstack
mailing list