openstack
/
rpm-packaging
Code Issues Proposed changes

Lockdown /bin/ip permissions for the monasca-agent 

This patch adds addtional arguments to the sudoers entry for
the /bin/ip command. It restricts access to only 'ip netns exec'.

Change-Id: Ie80c8fbdc851cbace8c82f8c47f490898f5c4d6e
(cherry picked from commit 00077266ae)
This commit is contained in:
git 2020-05-08 10:43:04 -04:00 committed by Keith Berger
parent eae9482c63
commit b018572677
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
openstack/monasca-agent/openstack-monasca-agent-sudoers
View File

@ -1,4 +1,4 @@
# Needed for monasca_agent.collector.checks_d.swift_diags
monasca-agent ALL = (root) NOPASSWD:/usr/local/bin/diagnostics,/usr/local/bin/swift-checker,/bin/ip,/usr/bin/ovs-vsctl
monasca-agent ALL = (root) NOPASSWD:/usr/local/bin/diagnostics,/usr/local/bin/swift-checker,/bin/ip netns exec qrouter-[! ][! ][! ][! ][! ][! ][! ][! ]-[! ][! ][! ][! ]-[! ][! ][! ][! ]-[! ][! ][! ][! ]-[! ][! ][! ][! ][! ][! ][! ][! ][! ][! ][! ][! ] /bin/ping *,/usr/bin/ovs-vsctl
# Needed for monasca_agent.collector.checks_d.postfix
monasca-agent ALL = (root) NOPASSWD:NOEXEC:/usr/bin/find