Add /usr/local/{sbin,bin} to rootwrap exec_dirs

Nova [1], Neutron [2,3] and Cinder's [4] rootwrap exec dirs include /usr/local/{sbin,bin} which are a standardised locations for admins to install non-distro executables, and these executables are no less "trustworthy" than /usr/bin and friends. See Neutron and Cinder's rootwrap.conf (and probably others), and typical distro default values for sudoers/secure_path for extremely similar precedents that all include /usr/local/*bin. Brief discussion of doing this via devstack available at [5]. Also, remove absolute paths from existing filters to make this fix useful. [1] I6a0a4b7f952193ce0f4ed2594613188854d36bf1 [2] Ib3646933744ca6b20ecd5ad0cedcedb4f1fa5f12 [3] Id7aebb50e60b1cc64c113be63c599387be5f1765 [4] I577e10df25181c7d4ca8189b10640a8e6e39b047 [5] I710cf142b834381c00e651cfc062299ae755c33f Change-Id: Ie7177778a247a687ced846bb11030cb72344c93f Closes-Bug: #1551956
2016-02-24 01:35:04 +08:00 · 2016-02-24 01:35:04 +08:00 · 71f8d0f3df
commit 71f8d0f3df
parent f81bc489b8
2 changed files with 18 additions and 18 deletions
--- a/etc/manila/rootwrap.conf
+++ b/etc/manila/rootwrap.conf
@ -10,7 +10,7 @@ filters_path=/etc/manila/rootwrap.d,/usr/share/manila/rootwrap
 # explicitely specify a full path (separated by ',')
 # If not specified, defaults to system PATH environment variable.
 # These directories MUST all be only writeable by root !
-exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/lpp/mmfs/bin
+exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/sbin,/usr/local/bin,/usr/lpp/mmfs/bin

 # Enable logging to syslog
 # Default value is False
--- a/etc/manila/rootwrap.d/share.filters
+++ b/etc/manila/rootwrap.d/share.filters
@ -8,17 +8,17 @@ chown: CommandFilter, chown, root
 cat: CommandFilter, cat, root

 # manila/share/drivers/lvm.py: 'mkfs.ext4', '/dev/mapper/%s'
-mkfs.ext4: CommandFilter, /sbin/mkfs.ext4, root
+mkfs.ext4: CommandFilter, mkfs.ext4, root

 # manila/share/drivers/lvm.py: 'mkfs.ext3', '/dev/mapper/%s'
-mkfs.ext3: CommandFilter, /sbin/mkfs.ext3, root
+mkfs.ext3: CommandFilter, mkfs.ext3, root

 # manila/share/drivers/lvm.py: 'smbd', '-s', '%s', '-D'
-smbd: CommandFilter, /usr/sbin/smbd, root
-smb: CommandFilter, /usr/sbin/smb, root
+smbd: CommandFilter, smbd, root
+smb: CommandFilter, smb, root

 # manila/share/drivers/lvm.py: 'rmdir', '%s'
-rmdir: CommandFilter, /bin/rmdir, root
+rmdir: CommandFilter, rmdir, root

 # manila/share/drivers/lvm.py: 'dd' 'count=0', 'if=%s' % srcstr, 'of=%s'
 dd: CommandFilter, dd, root
@ -30,13 +30,13 @@ fsck: CommandFilter, fsck, root
 resize2fs: CommandFilter, resize2fs, root

 # manila/share/drivers/helpers.py: 'smbcontrol', 'all', 'close-share', '%s'
-smbcontrol: CommandFilter, /usr/bin/smbcontrol, root
+smbcontrol: CommandFilter, smbcontrol, root

 # manila/share/drivers/helpers.py: 'net', 'conf', 'addshare', '%s', '%s', 'writeable=y', 'guest_ok=y
 # manila/share/drivers/helpers.py: 'net', 'conf', 'delshare', '%s'
 # manila/share/drivers/helpers.py: 'net', 'conf', 'setparm', '%s', '%s', '%s'
 # manila/share/drivers/helpers.py: 'net', 'conf', 'getparm', '%s', 'hosts allow'
-net: CommandFilter, /usr/bin/net, root
+net: CommandFilter, net, root

 # manila/share/drivers/lvm.py: 'lvremove', '-f', "%s/%s
 lvremove: CommandFilter, lvremove, root
@ -81,23 +81,23 @@ umount: CommandFilter, umount, root

 # GPFS commands
 # manila/share/drivers/ibm/gpfs.py: 'mmgetstate', '-Y'
-mmgetstate: CommandFilter, /usr/lpp/mmfs/bin/mmgetstate, root
+mmgetstate: CommandFilter, mmgetstate, root
 # manila/share/drivers/ibm/gpfs.py: 'mmlsattr', '%s'
-mmlsattr: CommandFilter, /usr/lpp/mmfs/bin/mmlsattr, root
+mmlsattr: CommandFilter, mmlsattr, root
 # manila/share/drivers/ibm/gpfs.py: 'mmcrfileset', '%s', '%s', '--inode-space', 'new'
-mmcrfileset: CommandFilter, /usr/lpp/mmfs/bin/mmcrfileset, root
+mmcrfileset: CommandFilter, mmcrfileset, root
 # manila/share/drivers/ibm/gpfs.py: 'mmlinkfileset', '%s', '%s', '-J', '%s'
-mmlinkfileset: CommandFilter, /usr/lpp/mmfs/bin/mmlinkfileset, root
+mmlinkfileset: CommandFilter, mmlinkfileset, root
 # manila/share/drivers/ibm/gpfs.py: 'mmsetquota', '-j', '%s', '-h', '%s', '%s'
-mmsetquota: CommandFilter, /usr/lpp/mmfs/bin/mmsetquota, root
+mmsetquota: CommandFilter, mmsetquota, root
 # manila/share/drivers/ibm/gpfs.py: 'mmunlinkfileset', '%s', '%s', '-f'
-mmunlinkfileset: CommandFilter, /usr/lpp/mmfs/bin/mmunlinkfileset, root
+mmunlinkfileset: CommandFilter, mmunlinkfileset, root
 # manila/share/drivers/ibm/gpfs.py: 'mmdelfileset', '%s', '%s', '-f'
-mmdelfileset: CommandFilter, /usr/lpp/mmfs/bin/mmdelfileset, root
+mmdelfileset: CommandFilter, mmdelfileset, root
 # manila/share/drivers/ibm/gpfs.py: 'mmcrsnapshot', '%s', '%s', '-j', '%s'
-mmcrsnapshot: CommandFilter, /usr/lpp/mmfs/bin/mmcrsnapshot, root
+mmcrsnapshot: CommandFilter, mmcrsnapshot, root
 # manila/share/drivers/ibm/gpfs.py: 'mmdelsnapshot', '%s', '%s', '-j', '%s'
-mmdelsnapshot: CommandFilter, /usr/lpp/mmfs/bin/mmdelsnapshot, root
+mmdelsnapshot: CommandFilter, mmdelsnapshot, root
 # manila/share/drivers/ibm/gpfs.py: 'rsync', '-rp', '%s', '%s'
 rsync: CommandFilter, rsync, root
 # manila/share/drivers/ibm/gpfs.py: 'exportfs'
@ -147,7 +147,7 @@ zpool: CommandFilter, zpool, root
 zfs: CommandFilter, zfs, root

 # manila/share/drivers/zfsonlinux/driver.py
-nsenter: CommandFilter, /usr/local/bin/nsenter, root
+nsenter: CommandFilter, nsenter, root

 # LXD driver commands
 # manila/share/drivers/lxd.py