In Manila, we've discussed migrating off of rootwrap, to privsep - and
are yet to find an owner to complete that work. We'll hopefully do that
soon. However, I agree this bug is wide open. We'll use a different
tracker to call out the tasks to deprecate the usage of rootwrap.
** Changed in: manila
Status: Incomplete => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1700501
Title:
Insecure rootwrap usage
Status in Cinder:
New
Status in OpenStack Shared File Systems Service (Manila):
Invalid
Status in OpenStack Compute (nova):
Incomplete
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
Reported by Benjamin Deuter of SUSE:
Some rootwrap filters are too permissive and allow privilege
escalation from service user, as explained here:
https://security.openstack.org/guidelines/dg_use-oslo-rootwrap-
securely.html#incorrect
For example this shouldn't be authorized:
sudo nova-rootwrap /etc/nova/rootwrap.conf chmod 777 /etc/shadow
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1700501/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
