Ubuntu
cinder package

Disable sudo io logging for rootwrap

Bug #1564812 reported by Dr. Jens Harbott
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cinder (Ubuntu)
Won't Fix
Wishlist
Unassigned
neutron (Ubuntu)
Won't Fix
Wishlist
Unassigned
nova (Ubuntu)
Won't Fix
Wishlist
Unassigned

Bug Description

Cinder, Neutron and Nova use rootwrappers that allow selected commands to be executed with root privileges via sudo. If an adminstrator chooses to enable sudo logging for security reasons, this will cause a lot of files being created, leading to filled up file systems pretty fast. This could be circumvented by changing the entry in /etc/sudoers.d/cinder_sudoers like this:

--- /etc/sudoers.d/cinder_sudoers 2016-03-30 11:20:28.000000000 +0000
+++ /etc/sudoers.d/cinder_sudoers.new 2016-04-01 09:31:36.811807794 +0000
@@ -1,3 +1,3 @@
 Defaults:cinder !requiretty

-cinder ALL = (root) NOPASSWD: /usr/bin/cinder-rootwrap /etc/cinder/rootwrap.conf *
+cinder ALL = (root) NOPASSWD: NOLOG_INPUT: NOLOG_OUTPUT: /usr/bin/cinder-rootwrap /etc/cinder/rootwrap.conf *

and similarly for nova and neutron.

Revision history for this message
James Page (james-page) wrote :

I think its good to have the input log for auditing purposes; however output is probably surplus in this instance.

Changed in cinder (Ubuntu):
status: New → Triaged
Changed in neutron (Ubuntu):
status: New → Triaged
Changed in nova (Ubuntu):
status: New → Triaged
Changed in cinder (Ubuntu):
importance: Undecided → Wishlist
Changed in neutron (Ubuntu):
importance: Undecided → Wishlist
Changed in nova (Ubuntu):
importance: Undecided → Wishlist
Revision history for this message
James Page (james-page) wrote :

After some discussion on IRC, this problem occurs when log_input and log_output are provided as modifications to the standard sudoers configuration.

Its possible to exclude this default from certain users using:

Defaults:nova !log_input,!log_output

so I think this is a better solution for installations wishing to provide full audit of user accounts use of sudo, but exclude sudo calls from system accounts such as neutron and nova.

This can be applied either in sudoers.d (in a new file, not the package provided one) or in /etc/sudoers itself.

I'm going to mark this bug as a Won't Fix - we should assume minimal configuration defaults as part of the packaging, and let end-users tailor their sudo configuration as required.

Changed in cinder (Ubuntu):
status: Triaged → Won't Fix
Changed in neutron (Ubuntu):
status: Triaged → Won't Fix
Changed in nova (Ubuntu):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.