neutron

agents should not need to run as root

Bug #948467 reported by Robert Kukura
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Medium
Robert Kukura
neutron 2012.1 "essex"
quantum (Ubuntu)
Fix Released
Undecided
Unassigned
Nominated for Precise by Yolanda Robla

Bug Description

When executing commands that require root privileges, they should use a root helper such as sudo. See nova.utils.execute(), which takes a run_as_root arg, and uses a configured root_helper. Not sure if this should be marked as a security vulnerability.

Robert Kukura (rkukura)
Changed in quantum:
assignee: nobody → Robert Kukura (rkukura)
dan wendlandt (danwent)
Changed in quantum:
milestone: none → essex-rc1
dan wendlandt (danwent)
Changed in quantum:
status: New → In Progress
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to quantum (master)

Fix proposed to branch: master
Review: https://review.openstack.org/5293

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to quantum (master)

Reviewed: https://review.openstack.org/5293
Committed: http://github.com/openstack/quantum/commit/a06b316cb47369ef4a2c522f5240fa3f7f529135
Submitter: Jenkins
Branch: master

commit a06b316cb47369ef4a2c522f5240fa3f7f529135
Author: Bob Kukura <email address hidden>
Date: Tue Mar 13 17:23:06 2012 -0400

    Add root_helper to quantum agents.

    When running commands that require root privileges, the linuxbridge,
    openvswitch, and ryu agent now prepend the commands with the value of
    the root_helper config variable. This is set to "sudo" in the plugins'
    .ini files, allowing the agent to run as a non-root user with
    appropriate sudo privilidges.

    If root_helper is changed to "sudo quantum-rootwrap",
    then the command being run will be filtered against lists of each
    agent's valid commands in quantum/rootwrap. See
    http://wiki.openstack.org/Packager/Rootwrap for details.

    Fixes bug 948467.

    Change-Id: I549515068a4ce8ae480905ec5eaab6257445d0c3
    Signed-off-by: Bob Kukura <email address hidden>

Changed in quantum:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in quantum:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in quantum:
milestone: essex-rc1 → 2012.1
Yolanda Robla (yolanda.robla)
Changed in quantum (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.