From 1fed955fa421ab1f61b77a15c69b9482cdac00af Mon Sep 17 00:00:00 2001 From: Angus Lees Date: Mon, 15 Feb 2016 14:08:24 +1100 Subject: [PATCH] Add /usr/local/{sbin,bin} to rootwrap exec_dirs /usr/local/{sbin,bin} is a standardised location for admins to install non-distro executables, and these executables are no less "trustworthy" than /usr/bin and friends. See neutron and cinder's rootwrap.conf (and probably others), and typical distro default values for sudoers/secure_path for extremely similar precedents that all include /usr/local/*bin. In particular, some sort of change like this is required for oslo.privsep to find its "privsep-helper" executable in devstack (installed into /usr/local/bin via pip). The only open question (imo) is whether this change is made here in nova (and any other project that doesn't already have this), or rootwrap.conf is modified in the same way at "deployment time" by devstack and other deployment methods. Doing it here means it is far more likely to "just work" for the common case of installing at least one affected command into /usr/local. See I710cf142b834381c00e651cfc062299ae755c33f for some brief discussion of doing this via devstack, and pointers to earlier neutron, etc discussion. Change-Id: I6a0a4b7f952193ce0f4ed2594613188854d36bf1 --- etc/nova/rootwrap.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/nova/rootwrap.conf b/etc/nova/rootwrap.conf index 5dc07891e0f4..c6fd5642b7bd 100644 --- a/etc/nova/rootwrap.conf +++ b/etc/nova/rootwrap.conf @@ -10,7 +10,7 @@ filters_path=/etc/nova/rootwrap.d,/usr/share/nova/rootwrap # explicitly specify a full path (separated by ',') # If not specified, defaults to system PATH environment variable. # These directories MUST all be only writeable by root ! -exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin +exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/sbin,/usr/local/bin # Enable logging to syslog # Default value is False