Using the same user for running service and the configuration files is danger. i.e. the service running user shouldn't be change the configuration files.
a simple attack like: * a hacker hacked into nova-api container with nova user * he can change the /etc/nova/rootwrap.conf file and /etc/nova/rootwrap.d file, which he can get much greater authority with sudo * he also can change the /etc/nova/nova.conf file to use another privsep_command.helper_command to get greater authority [privsep_entrypoint] helper_command=sudo nova-rootwrap /etc/nova/rootwrap.conf privsep-helper --config-file /etc/nova/nova.conf So right rule should be: do not let the service running user have write permission to configuration files, about for the nova.conf file, i think root:root with 644 permission or root:nova with 640 should be enough for the directory file, root:root with 755 or root:nova with 750 should be enough. On Tue, Aug 23, 2016 at 11:11 PM, Steven Dake (stdake) <std...@cisco.com> wrote: > > > > > > On 8/23/16, 7:05 AM, "Gerard Braad" <m...@gbraad.nl> wrote: > >>On Tue, Aug 23, 2016 at 9:56 PM, lương hữu tuấn <tuantulu...@gmail.com> wrote: >>> I also prefer a dedicated user ("kolla" seems the best choice) as same > On >>> Tue, Aug 23, 2016 at 3:51 PM, Paul Bourke <paul.bou...@oracle.com> wrote: >>>> In my experience operators prefer a dedicated user (kolla:kolla), though I >> >>kolla:kolla seems more logical and simpler to reason about. >> > > kolla:kolla still works with multi-user approach and permissions 660 on > /etc/kolla files. > > Regards > -steve > >> >>-- >> >> Gerard Braad | http://gbraad.nl >> [ Doing Open Source Matters ] >> >>__________________________________________________________________________ >>OpenStack Development Mailing List (not for usage questions) >>Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Regards, Jeffrey Zhang Blog: http://xcodest.me __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev