tripleo

tripleo-common sudoers file to permissive

Bug #1705709 reported by Toure Dunnon on 2017-07-21

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	High	Toure Dunnon	tripleo pike-rc2

Bug Description

The sudoers files as installed with openstack-tripleo-common package is much too permissive. It contains several lines for the Mistral
user that have wildcards that allow directory traversal with ".."
and it grants full passwordless root access to the validations user.

Tags:

Revision history for this message

Toure Dunnon (toure) wrote on 2017-07-21:

review: https://review.openstack.org/486142

Changed in tripleo:
importance:	Undecided → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-07-21: Change abandoned on tripleo-common (master)

Change abandoned by Toure Dunnon (<email address hidden>) on branch: master
Review: https://review.openstack.org/486142

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-07-21: Related fix proposed to tripleo-common (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/486147

Emilien Macchi (emilienm) on 2017-07-21

Changed in tripleo:
status:	New → Triaged

Emilien Macchi (emilienm) on 2017-07-21

tags:

added: tripleo-common

Emilien Macchi (emilienm) on 2017-07-30

Changed in tripleo:
milestone:	pike-3 → pike-rc1

Toure Dunnon (toure) on 2017-08-04

Changed in tripleo:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-22: Related fix merged to tripleo-common (master)

Reviewed: https://review.openstack.org/486147
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=34713f3b52f4da950d565f7ad490f03d55706b82
Submitter: Jenkins
Branch: master

commit 34713f3b52f4da950d565f7ad490f03d55706b82
Author: Toure Dunnon <email address hidden>
Date: Fri Jul 21 09:45:31 2017 -0400

tripleo-common sudoers file is to permissive.

    The sudoers files as installed with openstack-tripleo-common package
    is much too permissive. It contains several lines for the mistral
    user that have wildcards that allow directory traversal with ".."
    which grants full passwordless root access to the validations user.

Change-Id: I34073671c8f97d7bfbe1030ed52e6627a07dacfb
Related-Bug: 1705709

Emilien Macchi (emilienm) on 2017-08-25

Changed in tripleo:
milestone:	pike-rc1 → pike-rc2

Ryan Brady (rbrady) on 2017-08-30

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

Florian Fuchs (flo-fuchs) wrote on 2017-09-12:

This fix is breaking tripleo-validations when run through mistral (as mentioned in the original bug report #1677315).

Revision history for this message

Toure Dunnon (toure) wrote on 2017-09-12:

What is breaking? On what release? Do you have log info?

Revision history for this message

Florian Fuchs (flo-fuchs) wrote on 2017-09-12:

There's another bug report and a corresponding patch:

- https://bugs.launchpad.net/tripleo/+bug/1716625
- https://review.openstack.org/#/c/503002/

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.