Add /usr/local/{sbin,bin} to rootwrap exec_dirs
I noticed that nova, neutron and cinder's rootwrap exec_dirs include /usr/local/{sbin,bin} which is a standardised location for admins to install non-distro executables, and these executables are no less "trustworthy" than /usr/bin and friends. See neutron and cinder's rootwrap.conf (and probably others), and typical distro default values for sudoers/secure_path for extremely similar precedents that all include /usr/local/*bin. See the same patch of nova for more information: https://review.openstack.org/#/c/280052/1 And see I710cf142b834381c00e651cfc062299ae755c33f for brief discussion of doing this via devstack before. Change-Id: I1be8ff63d06424e84ea2b39bc0d285fe95beebb2
This commit is contained in:
parent
7a6b9193e6
commit
f26ffd7222
|
@ -10,7 +10,7 @@ filters_path=/etc/astara/rootwrap.d
|
|||
# explicitely specify a full path (separated by ',')
|
||||
# If not specified, defaults to system PATH environment variable.
|
||||
# These directories MUST all be only writeable by root !
|
||||
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin
|
||||
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/sbin,/usr/local/bin
|
||||
|
||||
# Enable logging to syslog
|
||||
# Default value is False
|
||||
|
|
Loading…
Reference in New Issue