quantum-debug ping-all does work with rootwrap enabled
Bug #1071110 reported by
Mark McClain
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| neutron |
Fix Released
|
Undecided
|
Nachi Ueno | ||
Bug Description
The quantum-debug ping-all does not have enough privileges when rootwrap is enabled.
There are two solutions:
EASY: Add /bin/ping and /bin/ping6 to the list of approved commands.
SECURE: Require that quantum-debug be invoked as the super user.
Requiring quantum-debug be invoked as the super user avoids having to expand filters to programs that would not be run during normal operations.
Revision history for this message
| Nachi Ueno (nati-ueno) wrote | #1 |
| Changed in quantum: | |
| assignee: | nobody → Nachi Ueno (nati-ueno) |
Revision history for this message
| Jeremy Hanmer (fzylogic) wrote | #2 |
| Changed in quantum: | |
| status: | New → Confirmed |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix proposed to quantum (master) | #3 |
| Changed in quantum: | |
| status: | Confirmed → In Progress |
Revision history for this message
| Nachi Ueno (nati-ueno) wrote | #4 |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix merged to quantum (master) | #5 |
| Changed in quantum: | |
| status: | In Progress → Fix Committed |
| Changed in quantum: | |
| milestone: | none → grizzly-2 |
| status: | Fix Committed → Fix Released |
| Changed in quantum: | |
| milestone: | grizzly-2 → 2013.1 |
To post a comment you must log in.
Hi Mark
I'm going to remove probe-exec command, and I would like to add ping or nc to approved command.
probe-exec command will show only exec command.
Is this make sense?