OpenStack Compute (nova)

Better filter around running kill as root

Bug #918226 reported by Thierry Carrez on 2012-01-18

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	Wishlist	Thierry Carrez

Bug Description

Nova is allowed to run kill as root, to be allowed to stop/restart dnsmasq and radvd.
We should restrict what we allow the nova user to do as root to the strict minimum.

Revision history for this message

Zhongyue Luo (zyluo) wrote on 2012-01-18:

#1

It would be really nice if nova could be launched without any root privileges.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-01-18: Fix proposed to nova (master)

#2

Fix proposed to branch: master
Review: https://review.openstack.org/3142

Revision history for this message

Thierry Carrez (ttx) wrote on 2012-01-19:

#3

Nova is already launched without any root privileges. But the nova user is allowed to call a set of commands as root. For more explanation see http://fnords.wordpress.com/2011/11/23/improving-nova-privilege-escalation-model-part-1/ and subsequent posts in this series.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-01-23:

#4

Fix proposed to branch: master
Review: https://review.openstack.org/3299

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-01-23: Fix merged to nova (master)

#5

Reviewed: https://review.openstack.org/3299
Committed: http://github.com/openstack/nova/commit/c48fbe9843ea1f119e8183a761eea676c94d0992
Submitter: Jenkins
Branch: master

commit c48fbe9843ea1f119e8183a761eea676c94d0992
Author: Thierry Carrez <email address hidden>
Date: Mon Jan 23 14:02:23 2012 +0100

Add a specific filter for kill commands

    Use a specific KillFilter to restrict kill commands run as root.
    This implementation checks the signals and the executables
    actually affected, using procfs. Fixes bug 918226.

Change-Id: I6f220d741423c4b8e0e792b647760b3ef521b9b2

Changed in nova:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2012-02-27

Changed in nova:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.