On 25/07/13 09:41, Chris Jones wrote: > Hi > > On 24 July 2013 22:18, Derek Higgins <der...@redhat.com > <mailto:der...@redhat.com>> wrote: >> - setup passwordless sudo or >> Doesn't sound like a super awesome option to me, it places an ugly >> security problem on anyone wanting to set this up anywhere, imo. > > I don't think its any worse then the security implications of running > di-b as root. > > Assuming I interpreted this option correctly, we're talking about giving > some user blanket passwordless sudo, which seems like the kind of > requirement that no sane sysadmin is going to be interested in granting > without some seriously onerous precautions to protect against abuse/exploit. > > What's the advantage here over simply fixing di-b to work when invoked > with sudo?
yes, I am talking about giving a user blanket passwordless sudo, I don't think any sane sysadmin would give any users ability to run di-b on a Host that has any purposes other then to build imaes, so I am basically saying that we should be using sudo inside di-b not as a security measure but more as a measure to protect the Host machine against problems with buggy code. Running di-b with sudo would remove any protecting provided by the need to explicitly state when a command requires root. This all looks like we are taking our current setup with a sudoers file and making it less secure but our current sudoers file lets me do all kinds of things e.g. [stack@fido derekh]$ sudo head -n 1 /etc/shadow [sudo] password for stack: [stack@fido derekh]$ echo "ALL ALL=(root) NOPASSWD: ALL" | sudo /bin/dd of=/tmp/image.JZH7Krvy/mnt/../../../etc/sudoers.d/letmedoanything [stack@fido derekh]$ sudo head -n 1 /etc/shadow root:$6$<snip/>:15827:0:99999:7::: which only gives people an incorrect sense of security. Thanks, Derek. > > > -- > Cheers, > > Chris > > > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
