[
https://issues.apache.org/jira/browse/CLOUDSTACK-967?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13575736#comment-13575736
]
Rohit Yadav commented on CLOUDSTACK-967:
----------------------------------------
Holy hazard, we need to fix it. maybe make the folders/files/paths write-able
for the user 'cloud'?
> security hazard: passwordless root sudo for cloud user
> ------------------------------------------------------
>
> Key: CLOUDSTACK-967
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-967
> Project: CloudStack
> Issue Type: Improvement
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Reporter: Noa Resare
> Labels: security
>
> When running the setup-cloud-management program, it installs a terrible entry
> in the file /etc/sudoers:
> cloud ALL =NOPASSWD : ALL
> To the uninitiated: this means that the user 'cloud' can become root without
> supplying a password via the sudo facility.
> This is obviously very, very bad from a security perspective. Any security
> vulnerability where an attacker (remote or local) can trick the cloudstack
> server component to execute arbitrary tasks immediately escalates into root
> access.
> Let's figure out what permissions cloudstack actually needs and fix this.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
