Sean Dague wrote: > Sounds great. One of the things I hope happens with this is a look at > some place rootwrap is used with such an open policy, that it's > completely moot. For instance the nova-cpu policy includes tee & dd with > no arg limitting (which has been that way forever from my look in git > annotate) > > Which is basically game over.
n-cpu is not the only component where the use of rootwrap doesn't actually provide additional security... I'll leave as an exercise to the reader to find the other ones :) > So in the nova-cpu case I really think we should remove rootwrap as it's > got to do so many things as root that being a limitted user really isn't > an option. The original idea was to have the framework in place to address those issues: notice abusive commands in filter definitions, and either find a way to filter them in an efficient way (the way we addressed the kill calls for example), or adapt the code so that it doesn't need such commands (like, say, removing file injection altogether). The trick is, despite multiple sessions on the subject (one at every summit since the dawn of time) this big review/fix effort hasn't magically happened :) In some cases we even regressed (re-addition of blind 'cat' CommandFilter while we have a specific ReadFileFilter). I still think we are in a better starting place forcing those calls through inefficient rootwrap rules -- at least we know which those calls are and we have the framework ready to help in further restricting them (RegExpFilter anyone ?). But the issue is the current rootwrap gives a false sense of security. People just add filter rules for their commands and call their security work done. It's *not* done. It's a continuing process to make sure you don't have insecure rules, improve them or rewrite the code so that it doesn't need them. Most CommandFilter rules can be abused, and they still represent something like 95% of the filters :) I'm not sure how to better communicate that rootwrap is not the end, it's just the beginning. As a final note, the best solution is not "better rootwrap filters". the best solution is solid design that doesn't require running anything as root. So components without run_as_root calls should really stay that way. And components with a couple of rootwrap rules should seriously look into removing the need for them. Cheers, -- Thierry Carrez (ttx)
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
