tripleo-common sudoers file is to permissive.

The sudoers files as installed with openstack-tripleo-common package is much too permissive. It contains several lines for the mistral user that have wildcards that allow directory traversal with ".." which grants full passwordless root access to the validations user. Change-Id: I34073671c8f97d7bfbe1030ed52e6627a07dacfb Related-Bug: 1705709
2017-07-21 09:45:31 -04:00 · 2017-07-21 09:45:31 -04:00 · 34713f3b52
parent f0ef9ac787
commit 34713f3b52
1 changed files with 4 additions and 2 deletions
--- a/6
+++ b/6
@ -2,7 +2,9 @@ Defaults!/usr/bin/run-validation !requiretty
 Defaults:validations !requiretty
 Defaults:mistral !requiretty
 mistral ALL = (validations) NOPASSWD:SETENV: /usr/bin/run-validation
-mistral ALL = NOPASSWD: /usr/bin/chown validations\: /tmp/validations_identity_*
-mistral ALL = NOPASSWD: /usr/bin/rm -f /tmp/validations_identity_*
+mistral ALL = NOPASSWD: /usr/bin/chown -h validations\: /tmp/validations_identity_[A-Za-z0-9_][A-Za-z0-9_][A-Za-z0-9_][A-Za-z0-9_][A-Za-z0-9_][A-Za-z0-9_], \
+        !/usr/bin/chown /tmp/validations_identity_* *, !/usr/bin/chown /tmp/validations_identity_*..*
+mistral ALL = NOPASSWD: /usr/bin/rm -f /tmp/validations_identity_[A-Za-z0-9_][A-Za-z0-9_][A-Za-z0-9_][A-Za-z0-9_][A-Za-z0-9_][A-Za-z0-9_], \
+        !/usr/bin/rm /tmp/validations_identity_* *, !/usr/bin/rm /tmp/validations_identity_*..*
 mistral ALL = NOPASSWD: /bin/nova-manage cell_v2 discover_hosts *
 validations ALL = NOPASSWD: ALL