Re: [openstack-dev] [tripleo] removing sudoers.d rules from disk-image-builder

2013-07-26 Thread Clint Byrum
Excerpts from Robert Collins's message of 2013-07-25 15:39:13 -0700: > On 26 July 2013 10:19, Thierry Carrez wrote: > > Chris Jones wrote: > >> I agree with your analysis of the effects of the sudoers file and I > >> think it makes a great argument for recommending people run the main > >> command

Re: [openstack-dev] [tripleo] removing sudoers.d rules from disk-image-builder

2013-07-25 Thread Robert Collins
On 26 July 2013 10:19, Thierry Carrez wrote: > Chris Jones wrote: >> I agree with your analysis of the effects of the sudoers file and I >> think it makes a great argument for recommending people run the main >> command itself with sudo, rather than a blanket passwordless sudo, but >> really all w

Re: [openstack-dev] [tripleo] removing sudoers.d rules from disk-image-builder

2013-07-25 Thread Thierry Carrez
Chris Jones wrote: > I agree with your analysis of the effects of the sudoers file and I > think it makes a great argument for recommending people run the main > command itself with sudo, rather than a blanket passwordless sudo, but > really all we need to say is "this tool needs to be run as root"

Re: [openstack-dev] [tripleo] removing sudoers.d rules from disk-image-builder

2013-07-25 Thread Chris Jones
Hi On 25 July 2013 14:20, Derek Higgins wrote: > which only gives people an incorrect sense of security. > I agree with your analysis of the effects of the sudoers file and I think it makes a great argument for recommending people run the main command itself with sudo, rather than a blanket pas

Re: [openstack-dev] [tripleo] removing sudoers.d rules from disk-image-builder

2013-07-25 Thread Derek Higgins
On 25/07/13 09:41, Chris Jones wrote: > Hi > > On 24 July 2013 22:18, Derek Higgins > wrote: >> - setup passwordless sudo or >> Doesn't sound like a super awesome option to me, it places an ugly >> security problem on anyone wanting to set this up anywhere, imo. >

Re: [openstack-dev] [tripleo] removing sudoers.d rules from disk-image-builder

2013-07-25 Thread Chris Jones
Hi On 24 July 2013 22:18, Derek Higgins wrote: > - setup passwordless sudo or > Doesn't sound like a super awesome option to me, it places an ugly > security problem on anyone wanting to set this up anywhere, imo. I don't think its any worse then the security implications of running di-b as

Re: [openstack-dev] [tripleo] removing sudoers.d rules from disk-image-builder

2013-07-24 Thread Derek Higgins
+1 to removing the suders rules we have, there adding overhead and contain enough wildcards that all they do is give people a false sense of security On 23/07/13 17:39, Chris Jones wrote: > Hi > > On 23 July 2013 10:52, Robert Collins > wrote: > > So I'd l

Re: [openstack-dev] [tripleo] removing sudoers.d rules from disk-image-builder

2013-07-23 Thread Clint Byrum
Excerpts from Robert Collins's message of 2013-07-23 02:52:11 -0700: > We have a bunch of sudo rules in disk-image-builder. They are there > primarily so we could have passwordless sudo on jenkins boxes, but > working with the infra team now, it looks like we'd run on > devstack-gate nodes, not on

Re: [openstack-dev] [tripleo] removing sudoers.d rules from disk-image-builder

2013-07-23 Thread Chris Jones
Hi On 23 July 2013 10:52, Robert Collins wrote: > So I'd like to change things to say: > - either run sudo disk-image-create or > This is probably the simplest option, but it does increase the amount of code we're running with elevated privileges, which might be a concern, but probably isn't,