71f8d0f3df
Nova [1], Neutron [2,3] and Cinder's [4] rootwrap exec dirs include /usr/local/{sbin,bin} which are a standardised locations for admins to install non-distro executables, and these executables are no less "trustworthy" than /usr/bin and friends. See Neutron and Cinder's rootwrap.conf (and probably others), and typical distro default values for sudoers/secure_path for extremely similar precedents that all include /usr/local/*bin. Brief discussion of doing this via devstack available at [5]. Also, remove absolute paths from existing filters to make this fix useful. [1] I6a0a4b7f952193ce0f4ed2594613188854d36bf1 [2] Ib3646933744ca6b20ecd5ad0cedcedb4f1fa5f12 [3] Id7aebb50e60b1cc64c113be63c599387be5f1765 [4] I577e10df25181c7d4ca8189b10640a8e6e39b047 [5] I710cf142b834381c00e651cfc062299ae755c33f Change-Id: Ie7177778a247a687ced846bb11030cb72344c93f Closes-Bug: #1551956
28 lines
989 B
Plaintext
28 lines
989 B
Plaintext
# Configuration for manila-rootwrap
|
|
# This file should be owned by (and only-writeable by) the root user
|
|
|
|
[DEFAULT]
|
|
# List of directories to load filter definitions from (separated by ',').
|
|
# These directories MUST all be only writeable by root !
|
|
filters_path=/etc/manila/rootwrap.d,/usr/share/manila/rootwrap
|
|
|
|
# List of directories to search executables in, in case filters do not
|
|
# explicitely specify a full path (separated by ',')
|
|
# If not specified, defaults to system PATH environment variable.
|
|
# These directories MUST all be only writeable by root !
|
|
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/sbin,/usr/local/bin,/usr/lpp/mmfs/bin
|
|
|
|
# Enable logging to syslog
|
|
# Default value is False
|
|
use_syslog=False
|
|
|
|
# Which syslog facility to use.
|
|
# Valid values include auth, authpriv, syslog, user0, user1...
|
|
# Default value is 'syslog'
|
|
syslog_log_facility=syslog
|
|
|
|
# Which messages to log.
|
|
# INFO means log all usage
|
|
# ERROR means only log unsuccessful attempts
|
|
syslog_log_level=ERROR
|