rootwrap should not load all installed rules
Bug #1014812 reported by
Mark McLoughlin
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Compute (nova) |
Invalid
|
Undecided
|
Unassigned | ||
Bug Description
I've just realized that part of the security model for rootwrap is that e.g. the compute rules should not be installed on the API server.
A basic rule of packaging - at least on Fedora - is that installing a package shouldn't change the configuration of the system. You might have all services installed on an API server, but only the API service running, and that should not mean that the API service has permission to run all commands allowed for other services.
Also, even if you have multiple services running on the one, that shouldn't mean that those services share the same rules.
Basically, I think the invocation of rootwrap should specify which services' rules to load.
| description: | updated |
Revision history for this message
| Thierry Carrez (ttx) wrote | #1 |
| Changed in nova: | |
| status: | New → Invalid |
Revision history for this message
| Thierry Carrez (ttx) wrote | #2 |
Revision history for this message
| Mark McLoughlin (markmc) wrote | #3 |
To post a comment you must log in.
I see your point (on a api+compute node you should not allow nova-api to run chown as root), however this is not rootwrap fault.
Rootwrap controls how you can escalate from the nova user to the root user. If on that host, you allow the nova user to run chown as root (for nova-compute) then nova-api will be able to do it just the same. If you run the two services on the same machine under the same user, they will share their escalation rights. It's not a question of which rules to load (you can't trust the invocator to specify that !).
The only way to give different escalation rights to two services on the same machine is to run them under different users. So nova-api would run under the nova-api user, and nova-compute would run under the nova-compute user, and your sudoers would only let sudo nova-rootwrap to be called by nova-compute, pointing to the directory that contains only compute.ini filters. So the rootwrap framework fully supports it, it's just that packaging doesn't set it up that way.
I'm not sure the complexity that would introduce is actually worth the trade-off, but that's a distribution choice. You should also check that Nova actually supports running under separate users right now. In all cases, nova-rootwrap fully supports it: the packaging just needs to make it so.
Closing as Invalid, but feel free to reopen if you think I'm wrong or if my explanation is not clear.