commit 28e618921c5bf63b0d7d17fcbe3084fdda153997
Author: Markus Zoeller <email address hidden>
Date: Tue Aug 9 13:55:54 2016 +0200
Don't attempt to escalate nova-manage privileges
Remove code which allowed nova-manage to attempt to escalate
privileges so that configuration files can be read by users who
normally wouldn't have access, but do have sudo access.
The privilege escalation came into nova-manage with commit e9fd01e
to solve bug 805695. That bug report didn't describe a faulty behavior
but a change request.
NOTE: This is related to change I03063d2 from Kiall Mac Innes who did
this for the "designate" project. I'm reusing the change-id from his
change to make it clear that they are related to each other.
NOTE: I removed the try-except block completely, as it doesn't make
sense to continue when we cannot read the config file (due to a wrong
path or permission errors). That's the same approach we used in the
recent "nova/cmd/policy_check" module. https://github.com/openstack/nova/blob/master/nova/cmd/policy_check.py#L158
Co-Authored-By: Kiall Mac Innes <email address hidden>
Closes-Bug: 1611171
Change-Id: I03063d2af14015e6506f1b6e958f5ff219aa4a87
(cherry picked from commit 87530b6e674750ab0d55b70cce4d96bf26d1f49a)
Reviewed: https:/ /review. openstack. org/385365 /git.openstack. org/cgit/ openstack/ nova/commit/ ?id=28e618921c5 bf63b0d7d17fcbe 3084fdda153997
Committed: https:/
Submitter: Jenkins
Branch: stable/newton
commit 28e618921c5bf63 b0d7d17fcbe3084 fdda153997
Author: Markus Zoeller <email address hidden>
Date: Tue Aug 9 13:55:54 2016 +0200
Don't attempt to escalate nova-manage privileges
Remove code which allowed nova-manage to attempt to escalate
privileges so that configuration files can be read by users who
normally wouldn't have access, but do have sudo access.
The privilege escalation came into nova-manage with commit e9fd01e
to solve bug 805695. That bug report didn't describe a faulty behavior
but a change request.
NOTE: This is related to change I03063d2 from Kiall Mac Innes who did
this for the "designate" project. I'm reusing the change-id from his
change to make it clear that they are related to each other.
NOTE: I removed the try-except block completely, as it doesn't make policy_ check" module. /github. com/openstack/ nova/blob/ master/ nova/cmd/ policy_ check.py# L158
sense to continue when we cannot read the config file (due to a wrong
path or permission errors). That's the same approach we used in the
recent "nova/cmd/
https:/
Co-Authored-By: Kiall Mac Innes <email address hidden> e6506f1b6e958f5 ff219aa4a87 b0d55b70cce4d96 bf26d1f49a)
Closes-Bug: 1611171
Change-Id: I03063d2af14015
(cherry picked from commit 87530b6e674750a