tripleo-common sudoers file is to permissive.
The sudoers files as installed with openstack-tripleo-common package is much too permissive. It contains several lines for the mistral user that have wildcards that allow directory traversal with ".." which grants full passwordless root access to the validations user. Change-Id: I34073671c8f97d7bfbe1030ed52e6627a07dacfb Related-Bug: 1705709
This commit is contained in:
parent
f0ef9ac787
commit
34713f3b52
6
sudoers
6
sudoers
|
@ -2,7 +2,9 @@ Defaults!/usr/bin/run-validation !requiretty
|
|||
Defaults:validations !requiretty
|
||||
Defaults:mistral !requiretty
|
||||
mistral ALL = (validations) NOPASSWD:SETENV: /usr/bin/run-validation
|
||||
mistral ALL = NOPASSWD: /usr/bin/chown validations\: /tmp/validations_identity_*
|
||||
mistral ALL = NOPASSWD: /usr/bin/rm -f /tmp/validations_identity_*
|
||||
mistral ALL = NOPASSWD: /usr/bin/chown -h validations\: /tmp/validations_identity_[A-Za-z0-9_][A-Za-z0-9_][A-Za-z0-9_][A-Za-z0-9_][A-Za-z0-9_][A-Za-z0-9_], \
|
||||
!/usr/bin/chown /tmp/validations_identity_* *, !/usr/bin/chown /tmp/validations_identity_*..*
|
||||
mistral ALL = NOPASSWD: /usr/bin/rm -f /tmp/validations_identity_[A-Za-z0-9_][A-Za-z0-9_][A-Za-z0-9_][A-Za-z0-9_][A-Za-z0-9_][A-Za-z0-9_], \
|
||||
!/usr/bin/rm /tmp/validations_identity_* *, !/usr/bin/rm /tmp/validations_identity_*..*
|
||||
mistral ALL = NOPASSWD: /bin/nova-manage cell_v2 discover_hosts *
|
||||
validations ALL = NOPASSWD: ALL
|
||||
|
|
Loading…
Reference in New Issue