Disable sudo io logging for rootwrap
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cinder (Ubuntu) |
Won't Fix
|
Wishlist
|
Unassigned | ||
neutron (Ubuntu) |
Won't Fix
|
Wishlist
|
Unassigned | ||
nova (Ubuntu) |
Won't Fix
|
Wishlist
|
Unassigned |
Bug Description
Cinder, Neutron and Nova use rootwrappers that allow selected commands to be executed with root privileges via sudo. If an adminstrator chooses to enable sudo logging for security reasons, this will cause a lot of files being created, leading to filled up file systems pretty fast. This could be circumvented by changing the entry in /etc/sudoers.
--- /etc/sudoers.
+++ /etc/sudoers.
@@ -1,3 +1,3 @@
Defaults:cinder !requiretty
-cinder ALL = (root) NOPASSWD: /usr/bin/
+cinder ALL = (root) NOPASSWD: NOLOG_INPUT: NOLOG_OUTPUT: /usr/bin/
and similarly for nova and neutron.
I think its good to have the input log for auditing purposes; however output is probably surplus in this instance.