[
https://issues.apache.org/jira/browse/CLOUDSTACK-967?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13552127#comment-13552127
]
John Kinsella commented on CLOUDSTACK-967:
------------------------------------------
Concur.
Just looked through my sudo logs, this is what I see it running:
sudo: cloud : TTY=unknown ; PWD=/var/lib/cloud/management ; USER=root ;
COMMAND=/bin/cp -b /usr/lib64/cloud/common/vms/systemvm.iso
/usr/lib64/cloud/common/vms/systemvm.iso.bak
sudo: cloud : TTY=unknown ; PWD=/var/lib/cloud/management ; USER=root ;
COMMAND=/bin/cp -fr /var/lib/cloud/management/systemvm_mnt/authorized_keys
/var/lib/cloud/management/systemvm_mnt/cloud-scripts.tgz
/var/lib/cloud/management/systemvm_mnt/systemvm.zip /tmp/cloud/systemvm/
sudo: cloud : TTY=unknown ; PWD=/var/lib/cloud/management ; USER=root ;
COMMAND=/bin/cp /var/lib/cloud/management/.ssh/id_rsa.pub
/tmp/cloud/systemvm/authorized_keys
sudo: cloud : TTY=unknown ; PWD=/var/lib/cloud/management ; USER=root ;
COMMAND=/bin/cp -f /tmp/systemvm.iso /usr/lib64/cloud/common/vms/systemvm.iso
sudo: cloud : TTY=unknown ; PWD=/var/lib/cloud/management ; USER=root ;
COMMAND=/bin/cp -fb /var/lib/cloud/management/.ssh/id_rsa
/usr/lib64/cloud/common/scripts/vm/systemvm/id_rsa.cloud
sudo: cloud : TTY=unknown ; PWD=/var/lib/cloud/management ; USER=root ;
COMMAND=/bin/chmod 644 /usr/lib64/cloud/common/scripts/vm/systemvm/id_rsa.cloud
sudo: cloud : TTY=unknown ; PWD=/var/lib/cloud/management ; USER=root ;
COMMAND=/bin/mkdir -p /var/lib/cloud/management/systemvm_mntsudo: cloud :
TTY=unknown ; PWD=/var/lib/cloud/management ; USER=root ; COMMAND=/bin/mount -o
loop /usr/lib64/cloud/common/vms/systemvm.iso
/var/lib/cloud/management/systemvm_mnt
sudo: cloud : TTY=unknown ; PWD=/var/lib/cloud/management ; USER=root ;
COMMAND=/bin/umount /var/lib/cloud/management/systemvm_mnt
> security hazard: passwordless root sudo for cloud user
> ------------------------------------------------------
>
> Key: CLOUDSTACK-967
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-967
> Project: CloudStack
> Issue Type: Improvement
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Reporter: Noa Resare
> Labels: security
>
> When running the setup-cloud-management program, it installs a terrible entry
> in the file /etc/sudoers:
> cloud ALL =NOPASSWD : ALL
> To the uninitiated: this means that the user 'cloud' can become root without
> supplying a password via the sudo facility.
> This is obviously very, very bad from a security perspective. Any security
> vulnerability where an attacker (remote or local) can trick the cloudstack
> server component to execute arbitrary tasks immediately escalates into root
> access.
> Let's figure out what permissions cloudstack actually needs and fix this.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
