We can do #includedir /etc/nova/sudoers.d from sudoers as well.
I think, a solution with a separate conf/dir for rootwrap is a step
back to sudo.
Kind regards, Yuriy.
On Wed, May 2, 2012 at 1:54 PM, Thierry Carrez thie...@openstack.org wrote:
Andrew Bogott wrote:
As part of the plugin
Andrew Bogott wrote:
As part of the plugin framework, I'm thinking about facilities for
adding commands to the nova-rootwrap list without directly editing the
code in nova-rootwrap. This is, naturally, super dangerous; I'm worried
that I'm going to open a security hole big enough to pass
Eric Windisch wrote:
I'd really like to see this security mechanism overhauled. Rootwrap was
an improvement over what was there before, however, I don't believe that
rootwrap is a viable long-term solution as currently designed. Rootwrap
has resulted in the use of potentially insecure
did the nova user /already/ have root access?
nova-rootwrap uses sudo to execute certain commands that require root access.
So yes, nova user already has root access via sudo. You can check /etc/sudoers
file.
stack.sh script from devstack adds the entry in sudoers list for the user
running
On 4/30/12 2:35 AM, Vaze, Mandar wrote:
did the nova user /already/ have root access?
nova-rootwrap uses sudo to execute certain commands that require root access.
So yes, nova user already has root access via sudo. You can check /etc/sudoers
file.
It sounds like you are saying
These are all installation-specific. Devstack is the closest thing there is to
an official installer and that clearly doesn't do all the right things, from
the perspective of making it *easy* to work with and test, rather than making
it production-ready. I think most of the integrators are
As part of the plugin framework, I'm thinking about facilities for
adding commands to the nova-rootwrap list without directly editing the
code in nova-rootwrap. This is, naturally, super dangerous; I'm worried
that I'm going to open a security hole big enough to pass a herd of
elephants.
7 matches
Mail list logo