[
https://issues.apache.org/jira/browse/CLOUDSTACK-967?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Animesh Chaturvedi updated CLOUDSTACK-967:
------------------------------------------
These items are still not resolved for 4.2 and we are approaching RC soon.
Please review your items, if not ready for 4.2 please move them out to future
release
> security hazard: passwordless root sudo for cloud user
> ------------------------------------------------------
>
> Key: CLOUDSTACK-967
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-967
> Project: CloudStack
> Issue Type: Improvement
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Reporter: Noa Resare
> Assignee: Noa Resare
> Labels: security
> Fix For: 4.2.0
>
>
> When running the setup-cloud-management program, it installs a terrible entry
> in the file /etc/sudoers:
> cloud ALL =NOPASSWD : ALL
> To the uninitiated: this means that the user 'cloud' can become root without
> supplying a password via the sudo facility.
> This is obviously very, very bad from a security perspective. Any security
> vulnerability where an attacker (remote or local) can trick the cloudstack
> server component to execute arbitrary tasks immediately escalates into root
> access.
> Let's figure out what permissions cloudstack actually needs and fix this.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
