agents should not need to run as root

Bug #948467 reported by Robert Kukura on 2012-03-06
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Robert Kukura
quantum (Ubuntu)
Nominated for Precise by Yolanda Robla

Bug Description

When executing commands that require root privileges, they should use a root helper such as sudo. See nova.utils.execute(), which takes a run_as_root arg, and uses a configured root_helper. Not sure if this should be marked as a security vulnerability.

Robert Kukura (rkukura) on 2012-03-06
Changed in quantum:
assignee: nobody → Robert Kukura (rkukura)
dan wendlandt (danwent) on 2012-03-06
Changed in quantum:
milestone: none → essex-rc1
dan wendlandt (danwent) on 2012-03-13
Changed in quantum:
status: New → In Progress
importance: Undecided → Medium

Submitter: Jenkins
Branch: master

commit a06b316cb47369ef4a2c522f5240fa3f7f529135
Author: Bob Kukura <email address hidden>
Date: Tue Mar 13 17:23:06 2012 -0400

    Add root_helper to quantum agents.

    When running commands that require root privileges, the linuxbridge,
    openvswitch, and ryu agent now prepend the commands with the value of
    the root_helper config variable. This is set to "sudo" in the plugins'
    .ini files, allowing the agent to run as a non-root user with
    appropriate sudo privilidges.

    If root_helper is changed to "sudo quantum-rootwrap",
    then the command being run will be filtered against lists of each
    agent's valid commands in quantum/rootwrap. See for details.

    Fixes bug 948467.

    Change-Id: I549515068a4ce8ae480905ec5eaab6257445d0c3
    Signed-off-by: Bob Kukura <email address hidden>

Changed in quantum:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2012-03-19
Changed in quantum:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2012-04-05
Changed in quantum:
milestone: essex-rc1 → 2012.1
Changed in quantum (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers