Fix writable rootwrap/privsep config
Fixes a hypothetical security issue related to privilege escalation via rootwrap/privsep. A potential vulnerable service could previously allow writes to its rootwrap/privsep config and thus allow for more commands to be run with root privileges via rootwrap/privsep. For a succesful attack, this would also require the service to allow to run arbitrary commands via rootwrap/privsep. Thus far, no such vulnerabilities have been reported and thus this fix is simply strengthening the container images against such an issue in the future. Change-Id: I92c81c77e6a16570a108cde8031f7977930fb02a Closes-Bug: #1874298
This commit is contained in:
Radosław Piliszek
parent
b8a352647d
commit
2daf4331a6
|
|
@ -28,7 +28,6 @@ RUN ln -s aodh-base-source/* aodh \
|
|||
&& {{ macros.install_pip(aodh_base_pip_packages | customizable("pip_packages")) }} \
|
||||
&& mkdir -p /etc/aodh /var/www/cgi-bin/aodh \
|
||||
&& cp /aodh/aodh/api/app.wsgi /var/www/cgi-bin/aodh \
|
||||
&& chown -R aodh: /etc/aodh /var/www/cgi-bin/aodh \
|
||||
&& chmod 750 /etc/sudoers.d \
|
||||
&& chmod 640 /etc/sudoers.d/kolla_aodh_sudoers \
|
||||
&& chmod 755 /var/www/cgi-bin/aodh \
|
||||
|
|
|
|||
|
|
@ -33,7 +33,6 @@ RUN ln -s barbican-base-source/* barbican \
|
|||
&& {{ macros.install_pip(barbican_base_pip_packages | customizable("pip_packages")) }} \
|
||||
&& mkdir -p /etc/barbican \
|
||||
&& cp -r /barbican/etc/barbican/* /etc/barbican/ \
|
||||
&& chown -R barbican: /etc/barbican \
|
||||
&& chmod 750 /etc/sudoers.d \
|
||||
&& chmod 640 /etc/sudoers.d/kolla_barbican_sudoers \
|
||||
&& touch /usr/local/bin/kolla_barbican_extend_start \
|
||||
|
|
|
|||
|
|
@ -21,7 +21,6 @@ RUN ln -s blazar-base-source/* blazar \
|
|||
&& {{ macros.install_pip(blazar_base_pip_packages | customizable("pip_packages")) }} \
|
||||
&& mkdir -p /etc/blazar \
|
||||
&& cp -r /blazar/etc/blazar/* /etc/blazar \
|
||||
&& chown -R blazar: /etc/blazar \
|
||||
&& touch /usr/local/bin/kolla_blazar_extend_start \
|
||||
&& chmod 644 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_blazar_extend_start
|
||||
|
||||
|
|
|
|||
|
|
@ -29,7 +29,6 @@ RUN ln -s ceilometer-base-source/* ceilometer \
|
|||
&& {{ macros.install_pip(ceilometer_base_pip_packages | customizable("pip_packages")) }} \
|
||||
&& mkdir -p /etc/ceilometer \
|
||||
&& cp -r /ceilometer/etc/ceilometer/* /etc/ceilometer/ \
|
||||
&& chown -R ceilometer: /etc/ceilometer \
|
||||
&& sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/ceilometer/rootwrap.conf \
|
||||
&& if [ "$(ls /plugins)" ]; then \
|
||||
{{ macros.install_pip(ceilometer_base_plugins_pip_packages) }}; \
|
||||
|
|
|
|||
|
|
@ -17,7 +17,6 @@ COPY extend_start.sh /usr/local/bin/kolla_cinder_extend_start
|
|||
RUN mkdir -p /var/www/cgi-bin/cinder \
|
||||
&& cp -a /var/lib/kolla/venv/bin/cinder-wsgi /var/www/cgi-bin/cinder/cinder-wsgi \
|
||||
&& chmod 644 /usr/local/bin/kolla_cinder_extend_start \
|
||||
&& chown -R cinder: /var/www/cgi-bin/cinder \
|
||||
&& chmod 755 /var/www/cgi-bin/cinder/cinder-wsgi
|
||||
|
||||
{% block cinder_api_footer %}{% endblock %}
|
||||
|
|
|
|||
|
|
@ -44,7 +44,6 @@ RUN ln -s cinder-base-source/* cinder \
|
|||
&& {{ macros.install_pip(cinder_base_pip_packages | customizable("pip_packages")) }} \
|
||||
&& mkdir -p /etc/cinder \
|
||||
&& cp -r /cinder/etc/cinder/* /etc/cinder/ \
|
||||
&& chown -R cinder: /etc/cinder \
|
||||
&& sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/cinder/rootwrap.conf \
|
||||
&& chmod 750 /etc/sudoers.d \
|
||||
&& chmod 440 /etc/sudoers.d/kolla_cinder_sudoers \
|
||||
|
|
|
|||
|
|
@ -21,7 +21,6 @@ RUN ln -s cloudkitty-base-source/* cloudkitty \
|
|||
&& {{ macros.install_pip(cloudkitty_base_pip_packages | customizable("pip_packages")) }} \
|
||||
&& mkdir -p /etc/cloudkitty \
|
||||
&& cp -r /cloudkitty/etc/cloudkitty/* /etc/cloudkitty/ \
|
||||
&& chown -R cloudkitty: /etc/cloudkitty \
|
||||
&& touch /usr/local/bin/kolla_cloudkitty_extend_start \
|
||||
&& chmod 644 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_cloudkitty_extend_start
|
||||
|
||||
|
|
|
|||
|
|
@ -71,7 +71,6 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
|
|||
COPY extend_start.sh /usr/local/bin/kolla_extend_start
|
||||
RUN chmod 644 /usr/local/bin/kolla_extend_start \
|
||||
&& chown -R collectd /var/lib/collectd \
|
||||
&& chown -R collectd /etc/collectd* \
|
||||
&& chown -R collectd /var/run/
|
||||
|
||||
{% block collectd_footer %}{% endblock %}
|
||||
|
|
|
|||
|
|
@ -23,7 +23,6 @@ RUN ln -s designate-base-source/* designate \
|
|||
&& mkdir -p /etc/designate \
|
||||
&& cp -r /designate/etc/designate/* /etc/designate/ \
|
||||
&& mv /etc/designate/rootwrap.conf.sample /etc/designate/rootwrap.conf \
|
||||
&& chown -R designate: /etc/designate \
|
||||
&& sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/designate/rootwrap.conf \
|
||||
&& chmod 750 /etc/sudoers.d \
|
||||
&& chmod 640 /etc/sudoers.d/kolla_designate_sudoers \
|
||||
|
|
|
|||
|
|
@ -35,7 +35,6 @@ COPY extend_start.sh /usr/local/bin/kolla_extend_start
|
|||
RUN {{ macros.install_pip(['pip', 'wheel', 'setuptools'], constraints=false) }} \
|
||||
&& {{ macros.install_pip(elasticsearch_curator_pip_packages | customizable("pip_packages"), constraints=false) }} \
|
||||
&& mkdir -p /etc/elasticsearch-curator \
|
||||
&& chown -R elasticsearch: /etc/elasticsearch-curator \
|
||||
&& chmod 644 /usr/local/bin/kolla_extend_start
|
||||
|
||||
{% block elasticsearch_curator_base_footer %}{% endblock %}
|
||||
|
|
|
|||
|
|
@ -43,7 +43,7 @@ COPY extend_start.sh /usr/local/bin/kolla_extend_start
|
|||
&& chmod 440 /etc/sudoers.d/kolla_fluentd_sudoers \
|
||||
&& mkdir -p /etc/{{ fluentd_user }} \
|
||||
&& mkdir -p /var/run/{{ fluentd_user }} \
|
||||
&& chown -R {{ fluentd_user }}: /etc/{{ fluentd_user }} /var/run/{{ fluentd_user }} \
|
||||
&& chown -R {{ fluentd_user }}: /var/run/{{ fluentd_user }} \
|
||||
&& chmod 644 /usr/local/bin/kolla_extend_start
|
||||
|
||||
{% block fluentd_plugins_install %}
|
||||
|
|
|
|||
|
|
@ -27,7 +27,6 @@ COPY extend_start.sh /usr/local/bin/kolla_extend_start
|
|||
|
||||
RUN ln -s freezer-base-source/* freezer \
|
||||
&& mkdir -p /etc/freezer \
|
||||
&& chown -R freezer: /etc/freezer \
|
||||
&& {{ macros.install_pip(freezer_base_pip_packages | customizable("pip_packages")) }} \
|
||||
&& cp -r /freezer/etc/* /etc/freezer \
|
||||
&& chmod 750 /etc/sudoers.d \
|
||||
|
|
|
|||
|
|
@ -41,7 +41,6 @@ RUN ln -s glance-base-source/* glance \
|
|||
&& {{ macros.install_pip(glance_base_pip_packages | customizable("pip_packages")) }} \
|
||||
&& mkdir -p /etc/glance \
|
||||
&& cp -r /glance/etc/* /etc/glance/ \
|
||||
&& chown -R glance: /etc/glance \
|
||||
&& sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/glance/rootwrap.conf \
|
||||
&& chmod 750 /etc/sudoers.d \
|
||||
&& chmod 440 /etc/sudoers.d/kolla_glance_sudoers \
|
||||
|
|
|
|||
|
|
@ -44,7 +44,6 @@ COPY gnocchi_sudoers /etc/sudoers.d/kolla_gnocchi_sudoers
|
|||
RUN ln -s gnocchi-base-source/* gnocchi \
|
||||
&& {{ macros.install_pip(gnocchi_base_pip_packages | customizable("pip_packages")) }} \
|
||||
&& mkdir -p /etc/gnocchi \
|
||||
&& chown -R gnocchi: /etc/gnocchi \
|
||||
&& chmod 750 /etc/sudoers.d \
|
||||
&& chmod 640 /etc/sudoers.d/kolla_gnocchi_sudoers \
|
||||
&& touch /usr/local/bin/kolla_gnocchi_extend_start \
|
||||
|
|
|
|||
|
|
@ -27,7 +27,6 @@ RUN ln -s heat-base-source/* heat \
|
|||
&& {{ macros.install_pip(heat_base_pip_packages | customizable("pip_packages")) }} \
|
||||
&& mkdir -p /etc/heat \
|
||||
&& cp -r /heat/etc/heat/* /etc/heat/ \
|
||||
&& chown -R heat: /etc/heat \
|
||||
&& touch /usr/local/bin/kolla_heat_extend_start \
|
||||
&& chmod 644 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_heat_extend_start
|
||||
|
||||
|
|
|
|||
|
|
@ -59,7 +59,6 @@ RUN ln -s horizon-source/* horizon \
|
|||
&& for locale in /var/lib/kolla/venv/lib/python{{distro_python_version}}/site-packages/*/locale; do \
|
||||
(cd ${locale%/*} && /var/lib/kolla/venv/bin/django-admin compilemessages) \
|
||||
done \
|
||||
&& chown -R horizon: /etc/openstack-dashboard \
|
||||
&& chmod 644 /usr/local/bin/kolla_extend_start
|
||||
|
||||
{% block horizon_footer %}{% endblock %}
|
||||
|
|
|
|||
|
|
@ -36,7 +36,7 @@ RUN ln -s ironic-inspector-source/* ironic-inspector \
|
|||
&& chmod 440 /etc/sudoers.d/kolla_ironic_inspector_sudoers \
|
||||
&& chmod 644 /usr/local/bin/kolla_extend_start \
|
||||
&& mkdir -p /var/lib/ironic-inspector/dhcp-hostsdir \
|
||||
&& chown -R ironic-inspector: /etc/ironic-inspector /var/lib/ironic-inspector
|
||||
&& chown -R ironic-inspector: /var/lib/ironic-inspector
|
||||
|
||||
{% block ironic_inspector_footer %}{% endblock %}
|
||||
{% block footer %}{% endblock %}
|
||||
|
|
|
|||
|
|
@ -22,12 +22,10 @@ RUN ln -s ironic-base-source/* ironic \
|
|||
&& {{ macros.install_pip(ironic_base_pip_packages | customizable("pip_packages")) }} \
|
||||
&& mkdir -p /etc/ironic \
|
||||
&& cp -r /var/lib/kolla/venv/etc/ironic/* /etc/ironic/ \
|
||||
&& chown -R ironic: /etc/ironic \
|
||||
&& sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/ironic/rootwrap.conf \
|
||||
&& chmod 750 /etc/sudoers.d \
|
||||
&& chmod 440 /etc/sudoers.d/kolla_ironic_sudoers \
|
||||
&& touch /usr/local/bin/kolla_ironic_extend_start \
|
||||
&& chmod 644 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_ironic_extend_start \
|
||||
&& chown -R ironic: /etc/ironic
|
||||
&& chmod 644 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_ironic_extend_start
|
||||
|
||||
{% block ironic_base_footer %}{% endblock %}
|
||||
|
|
|
|||
|
|
@ -39,11 +39,9 @@ RUN ln -s keystone-base-source/* keystone \
|
|||
&& mkdir -p /etc/keystone /var/www/cgi-bin/keystone \
|
||||
&& cp -r /keystone/etc/* /etc/keystone/ \
|
||||
&& cp /var/lib/kolla/venv/bin/keystone-wsgi-admin /var/www/cgi-bin/keystone/admin \
|
||||
&& cp /var/lib/kolla/venv/bin/keystone-wsgi-public /var/www/cgi-bin/keystone/main \
|
||||
&& chown -R keystone: /etc/keystone /var/www/cgi-bin/keystone
|
||||
&& cp /var/lib/kolla/venv/bin/keystone-wsgi-public /var/www/cgi-bin/keystone/main
|
||||
{% endblock %}
|
||||
|
||||
RUN chown -R keystone: /var/www/cgi-bin/keystone \
|
||||
&& chmod 755 /var/www/cgi-bin/keystone/*
|
||||
RUN chmod 755 /var/www/cgi-bin/keystone/*
|
||||
|
||||
{% block keystone_base_footer %}{% endblock %}
|
||||
|
|
|
|||
|
|
@ -23,7 +23,6 @@ RUN ln -s kuryr-base-source/* kuryr-base \
|
|||
&& sed -i 's|^kuryr-lib===.*$||g' requirements/upper-constraints.txt \
|
||||
&& {{ macros.install_pip(kuryr_base_pip_packages | customizable("pip_packages")) }} \
|
||||
&& mkdir -p /etc/kuryr \
|
||||
&& chown -R kuryr: /etc/kuryr \
|
||||
&& chmod 644 /usr/local/bin/kolla_extend_start
|
||||
|
||||
{% block kuryr_base_footer %}{% endblock %}
|
||||
|
|
|
|||
|
|
@ -22,7 +22,6 @@ RUN ln -s magnum-base-source/* magnum \
|
|||
&& mkdir -p /etc/magnum \
|
||||
&& cp -r /magnum/etc/magnum/* /etc/magnum \
|
||||
&& mv /etc/magnum/keystone_auth_default_policy.sample /etc/magnum/keystone_auth_default_policy.json \
|
||||
&& chown -R magnum: /etc/magnum \
|
||||
&& touch /usr/local/bin/kolla_magnum_extend_start \
|
||||
&& chmod 644 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_magnum_extend_start
|
||||
|
||||
|
|
|
|||
|
|
@ -16,7 +16,6 @@ COPY extend_start.sh /usr/local/bin/kolla_manila_extend_start
|
|||
RUN mkdir -p /var/www/cgi-bin/manila \
|
||||
&& cp -a /var/lib/kolla/venv/bin/manila-wsgi /var/www/cgi-bin/manila/manila-wsgi \
|
||||
&& chmod 644 /usr/local/bin/kolla_manila_extend_start \
|
||||
&& chown -R manila: /var/www/cgi-bin/manila \
|
||||
&& chmod 755 /var/www/cgi-bin/manila/manila-wsgi
|
||||
|
||||
{% block manila_api_footer %}{% endblock %}
|
||||
|
|
|
|||
|
|
@ -35,7 +35,7 @@ RUN ln -s manila-base-source/* manila \
|
|||
&& {{ macros.install_pip(manila_base_pip_packages | customizable("pip_packages")) }} \
|
||||
&& mkdir -p /etc/manila /var/cache/manila \
|
||||
&& cp -r /manila/etc/manila/* /etc/manila/ \
|
||||
&& chown -R manila: /etc/manila /var/cache/manila \
|
||||
&& chown -R manila: /var/cache/manila \
|
||||
&& sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/manila/rootwrap.conf \
|
||||
&& chmod 750 /etc/sudoers.d \
|
||||
&& chmod 440 /etc/sudoers.d/kolla_manila_sudoers \
|
||||
|
|
|
|||
|
|
@ -35,7 +35,6 @@ RUN ln -s masakari-base-source/* masakari \
|
|||
&& {{ macros.install_pip(masakari_base_pip_packages | customizable("pip_packages")) }} \
|
||||
&& mkdir -p /etc/masakari /var/www/cgi-bin/masakari \
|
||||
&& cp -r /masakari/etc/masakari/* /etc/masakari/ \
|
||||
&& chown -R masakari: /etc/masakari /var/www/cgi-bin/masakari \
|
||||
&& chmod 755 /var/www/cgi-bin/masakari \
|
||||
&& touch /usr/local/bin/kolla_masakari_extend_start \
|
||||
&& chmod 644 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_masakari_extend_start
|
||||
|
|
|
|||
|
|
@ -44,7 +44,6 @@ COPY masakari_monitors_sudoers /etc/sudoers.d/kolla_masakari_monitors_sudoers
|
|||
RUN ln -s masakari-monitors-source/* masakari-monitors \
|
||||
&& {{ macros.install_pip(masakari_monitors_pip_packages | customizable("pip_packages")) }} \
|
||||
&& mkdir -p /etc/masakari-monitors \
|
||||
&& chown -R masakari: /etc/masakari-monitors \
|
||||
&& chmod 750 /etc/sudoers.d \
|
||||
&& chmod 640 /etc/sudoers.d/kolla_masakari_monitors_sudoers
|
||||
|
||||
|
|
|
|||
|
|
@ -27,7 +27,6 @@ RUN ln -s mistral-base-source/* mistral \
|
|||
&& {{ macros.install_pip(mistral_base_pip_packages | customizable("pip_packages")) }} \
|
||||
&& mkdir -p /etc/mistral \
|
||||
&& cp -r /mistral/etc/* /etc/mistral/ \
|
||||
&& chown -R mistral: /etc/mistral \
|
||||
&& if [ "$(ls /plugins)" ]; then \
|
||||
{{ macros.install_pip(mistral_base_plugins_pip_packages) }}; \
|
||||
fi \
|
||||
|
|
|
|||
|
|
@ -27,8 +27,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
|
|||
] %}
|
||||
|
||||
RUN {{ macros.install_pip(monasca_base_pip_packages | customizable("pip_packages")) }} \
|
||||
&& mkdir -p /etc/monasca \
|
||||
&& chown -R monasca: /etc/monasca
|
||||
&& mkdir -p /etc/monasca
|
||||
{% endblock %}
|
||||
|
||||
COPY extend_start.sh /usr/local/bin/kolla_extend_start
|
||||
|
|
|
|||
|
|
@ -21,7 +21,6 @@ RUN ln -s murano-base-source/* murano \
|
|||
&& {{ macros.install_pip(murano_base_pip_packages | customizable("pip_packages")) }} \
|
||||
&& mkdir -p /etc/murano \
|
||||
&& cp -r /murano/etc/murano/* /etc/murano/ \
|
||||
&& chown -R murano: /etc/murano \
|
||||
&& cd murano/meta/io.murano \
|
||||
&& zip -r /io.murano.zip * \
|
||||
&& cd /murano/meta/io.murano.applications \
|
||||
|
|
|
|||
|
|
@ -73,7 +73,6 @@ RUN ln -s neutron-base-source/* neutron \
|
|||
&& cp -r /neutron/etc/* /etc/neutron/ \
|
||||
&& cp -r /neutron/etc/neutron/* /etc/neutron/ \
|
||||
&& mv /etc/neutron/neutron/ /etc/neutron/plugins/ \
|
||||
&& chown -R neutron: /etc/neutron \
|
||||
&& sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/neutron/rootwrap.conf \
|
||||
&& if [ "$(ls /plugins)" ]; then \
|
||||
{{ macros.install_pip(neutron_base_plugins_pip_packages) }} \
|
||||
|
|
|
|||
|
|
@ -70,7 +70,6 @@ RUN ln -s nova-base-source/* nova \
|
|||
&& {{ macros.install_pip(nova_base_pip_packages | customizable("pip_packages")) }} \
|
||||
&& mkdir -p /etc/nova/ \
|
||||
&& cp -r /nova/etc/nova/* /etc/nova/ \
|
||||
&& chown -R nova: /etc/nova/ \
|
||||
&& sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/nova/rootwrap.conf \
|
||||
&& if [ "$(ls /plugins)" ]; then \
|
||||
{{ macros.install_pip(nova_base_plugins_pip_packages) }}; \
|
||||
|
|
|
|||
|
|
@ -28,7 +28,6 @@ RUN ln -s /octavia-base-source/* octavia \
|
|||
&& {{ macros.install_pip(octavia_base_pip_packages | customizable("pip_packages")) }} \
|
||||
&& mkdir -p /etc/octavia \
|
||||
&& cp -r /octavia/etc/* /etc/octavia/ \
|
||||
&& chown -R octavia: /etc/octavia \
|
||||
&& touch /usr/local/bin/kolla_octavia_extend_start \
|
||||
&& chmod 644 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_octavia_extend_start
|
||||
|
||||
|
|
|
|||
|
|
@ -36,7 +36,6 @@ RUN ln -s placement-base-source/* placement \
|
|||
&& {{ macros.install_pip(placement_base_pip_packages | customizable("pip_packages")) }} \
|
||||
&& mkdir -p /etc/placement/ \
|
||||
&& cp -r /placement/etc/placement/* /etc/placement/ \
|
||||
&& chown -R placement: /etc/placement/ \
|
||||
&& touch /usr/local/bin/kolla_placement_extend_start \
|
||||
&& chmod 644 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_placement_extend_start
|
||||
|
||||
|
|
|
|||
|
|
@ -36,7 +36,6 @@ RUN ln -s sahara-base-source/* sahara \
|
|||
fi \
|
||||
&& mkdir -p /etc/sahara \
|
||||
&& cp -r /sahara/etc/sahara/* /etc/sahara/ \
|
||||
&& chown -R sahara: /etc/sahara \
|
||||
&& sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/sahara/rootwrap.conf \
|
||||
&& chmod 750 /etc/sudoers.d \
|
||||
&& chmod 640 /etc/sudoers.d/kolla_sahara_sudoers \
|
||||
|
|
|
|||
|
|
@ -21,7 +21,6 @@ RUN ln -s senlin-base-source/* senlin \
|
|||
&& {{ macros.install_pip(senlin_base_pip_packages | customizable("pip_packages")) }} \
|
||||
&& mkdir -p /etc/senlin \
|
||||
&& cp -r /senlin/etc/senlin/* /etc/senlin \
|
||||
&& chown -R senlin: /etc/senlin \
|
||||
&& touch /usr/local/bin/kolla_senlin_extend_start \
|
||||
&& chmod 644 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_senlin_extend_start
|
||||
|
||||
|
|
|
|||
|
|
@ -21,7 +21,6 @@ RUN ln -s solum-base-source/* solum \
|
|||
&& {{ macros.install_pip(solum_base_pip_packages | customizable("pip_packages")) }} \
|
||||
&& mkdir -p /etc/solum \
|
||||
&& cp -r /solum/etc/solum/* /etc/solum/ \
|
||||
&& chown -R solum: /etc/solum \
|
||||
&& touch /usr/local/bin/kolla_solum_extend_start \
|
||||
&& chmod 644 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_solum_extend_start
|
||||
|
||||
|
|
|
|||
|
|
@ -38,7 +38,7 @@ RUN ln -s swift-base-source/* swift \
|
|||
&& {{ macros.install_pip(swift_base_pip_packages | customizable("pip_packages")) }} \
|
||||
&& mkdir -p /etc/swift /var/cache/swift /var/lock/swift \
|
||||
&& cp -r /swift/etc/* /etc/swift/ \
|
||||
&& chown -R swift: /etc/swift /var/cache/swift /var/lock/swift \
|
||||
&& chown -R swift: /var/cache/swift /var/lock/swift \
|
||||
&& chmod 755 /var/lib/kolla/venv/bin/swift-rootwrap \
|
||||
&& chmod 644 /etc/swift/rootwrap.conf \
|
||||
&& sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/swift/rootwrap.conf \
|
||||
|
|
|
|||
|
|
@ -27,7 +27,6 @@ RUN ln -s tacker-base-source/* tacker \
|
|||
&& {{ macros.install_pip(tacker_base_pip_packages | customizable("pip_packages")) }} \
|
||||
&& mkdir -p /etc/tacker \
|
||||
&& cp -r /tacker/etc/tacker/* /etc/tacker \
|
||||
&& chown -R tacker: /etc/tacker \
|
||||
&& if [ "$(ls /plugins)" ]; then \
|
||||
{{ macros.install_pip(tacker_base_plugins_pip_packages) }}; \
|
||||
fi \
|
||||
|
|
|
|||
|
|
@ -21,7 +21,6 @@ RUN ln -s trove-base-source/* trove \
|
|||
&& {{ macros.install_pip(trove_base_pip_packages | customizable("pip_packages")) }} \
|
||||
&& mkdir -p /etc/trove \
|
||||
&& cp -r /trove/etc/trove/* /etc/trove/ \
|
||||
&& chown -R trove: /etc/trove \
|
||||
&& touch /usr/local/bin/kolla_trove_extend_start \
|
||||
&& chmod 644 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_trove_extend_start
|
||||
|
||||
|
|
|
|||
|
|
@ -21,7 +21,6 @@ RUN ln -s venus-base-source/* venus \
|
|||
&& {{ macros.install_pip(venus_base_pip_packages | customizable("pip_packages")) }} \
|
||||
&& mkdir -p /etc/venus \
|
||||
&& cp -r /venus/etc/venus/* /etc/venus/ \
|
||||
&& chown -R venus: /etc/venus \
|
||||
&& touch /usr/local/bin/kolla_venus_extend_start \
|
||||
&& chmod 644 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_venus_extend_start
|
||||
|
||||
|
|
|
|||
|
|
@ -35,7 +35,6 @@ RUN ln -s vitrage-base-source/* vitrage \
|
|||
&& mkdir -p /etc/vitrage /var/www/cgi-bin/vitrage \
|
||||
&& cp -r /vitrage/etc/vitrage/* /etc/vitrage/ \
|
||||
&& cp /vitrage/vitrage/api/app.wsgi /var/www/cgi-bin/vitrage \
|
||||
&& chown -R vitrage: /etc/vitrage /var/www/cgi-bin/vitrage \
|
||||
&& touch /usr/local/bin/kolla_vitrage_extend_start \
|
||||
&& chmod 644 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_vitrage_extend_start
|
||||
|
||||
|
|
|
|||
|
|
@ -21,7 +21,6 @@ RUN ln -s watcher-base-source/* watcher \
|
|||
&& {{ macros.install_pip(watcher_base_pip_packages | customizable("pip_packages")) }} \
|
||||
&& mkdir -p /etc/watcher \
|
||||
&& cp -r /watcher/etc/watcher/* /etc/watcher/ \
|
||||
&& chown -R watcher: /etc/watcher \
|
||||
&& touch /usr/local/bin/kolla_watcher_extend_start \
|
||||
&& chmod 644 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_watcher_extend_start
|
||||
|
||||
|
|
|
|||
|
|
@ -43,7 +43,6 @@ RUN ln -s zun-base-source/* zun \
|
|||
&& mkdir -p /etc/zun /var/www/cgi-bin/zun \
|
||||
&& cp -r /zun/etc/zun/* /etc/zun/ \
|
||||
&& cp /zun/zun/api/app.wsgi /var/www/cgi-bin/zun \
|
||||
&& chown -R zun: /etc/zun /var/www/cgi-bin/zun \
|
||||
&& sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/zun/rootwrap.conf \
|
||||
&& chmod 750 /etc/sudoers.d \
|
||||
&& chmod 640 /etc/sudoers.d/kolla_zun_sudoers \
|
||||
|
|
|
|||
|
|
@ -0,0 +1,12 @@
|
|||
---
|
||||
security:
|
||||
- |
|
||||
Fixes a hypothetical security issue related to privilege escalation via
|
||||
rootwrap/privsep. A potential vulnerable service could previously allow
|
||||
writes to its rootwrap/privsep config and thus allow for more commands
|
||||
to be run with root privileges via rootwrap/privsep. For a succesful
|
||||
attack, this would also require the service to allow to run arbitrary
|
||||
commands via rootwrap/privsep. Thus far, no such vulnerabilities have
|
||||
been reported and thus this fix is simply strengthening the container
|
||||
images against such an issue in the future.
|
||||
`LP#1874298 <https://launchpad.net/bugs/1874298>`__
|
||||
Loading…
Reference in New Issue