rootwrap filter for ip netns exec
Bug #1044083 reported by
dan wendlandt
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
High
|
Mark McClain |
Bug Description
There is a security hole when using rootwrap with Quantum, since rootwrap allows the use of "ip netns exec" to run commands in a particular namespace. This could be used to subvert rootwrap and run arbitrary commands.
The solution is to create a special filter type that only allows certain allowed required commands to be executed within a namespace.
Changed in quantum: | |
importance: | Undecided → High |
milestone: | none → folsom-rc1 |
assignee: | nobody → john dunning (jrd-q) |
Changed in quantum: | |
status: | New → Confirmed |
Changed in quantum: | |
assignee: | john dunning (jrd-q) → Mark McClain (markmcclain) |
Changed in quantum: | |
status: | Fix Committed → Fix Released |
Changed in quantum: | |
milestone: | folsom-rc1 → 2012.2 |
To post a comment you must log in.
Fix proposed to branch: master /review. openstack. org/12388
Review: https:/