Add /usr/local/{sbin,bin} to rootwrap exec_dirs
/usr/local/{sbin,bin} is a standardised location for admins to install
non-distro executables, and these executables are no less "trustworthy"
than /usr/bin and friends. See neutron and cinder's rootwrap.conf (and
probably others), and typical distro default values for
sudoers/secure_path for extremely similar precedents that all include
/usr/local/*bin.
In particular, some sort of change like this is required for
oslo.privsep to find its "privsep-helper" executable in
devstack (installed into /usr/local/bin via pip). The only open
question (imo) is whether this change is made here in nova (and any
other project that doesn't already have this), or rootwrap.conf is
modified in the same way at "deployment time" by devstack and other
deployment methods. Doing it here means it is far more likely to "just
work" for the common case of installing at least one affected command
into /usr/local.
See I710cf142b834381c00e651cfc062299ae755c33f for some brief discussion
of doing this via devstack, and pointers to earlier neutron, etc
discussion.
Change-Id: I6a0a4b7f952193ce0f4ed2594613188854d36bf1
This commit is contained in:
Angus Lees
parent
f6e2c33271
commit
1fed955fa4
|
|
@ -10,7 +10,7 @@ filters_path=/etc/nova/rootwrap.d,/usr/share/nova/rootwrap
|
|||
# explicitly specify a full path (separated by ',')
|
||||
# If not specified, defaults to system PATH environment variable.
|
||||
# These directories MUST all be only writeable by root !
|
||||
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin
|
||||
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/sbin,/usr/local/bin
|
||||
|
||||
# Enable logging to syslog
|
||||
# Default value is False
|
||||
|
|
|
|||
Loading…
Reference in New Issue