openstack/nova
Code Issues Proposed changes

Add rootwrap filters for password injection with localfs

Browse Source 
Allow to 'sudo cat' to read passwd and shadow.

bug 1098077

Change-Id: Ic734bd33223df879b5e1f144bb4c85702eb88dfa
This commit is contained in:
Arata Notsu 2013-01-11 18:04:45 +09:00
parent 8143021bdb
commit 72da6199d2
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
etc/nova/rootwrap.d/compute.filters
View File

@ -172,3 +172,9 @@ vgs: CommandFilter, /sbin/vgs, root
# nova/virt/baremetal/volume_driver.py: 'tgtadm', '--lld', 'iscsi', ...
tgtadm: CommandFilter, /usr/sbin/tgtadm, root
# nova/utils.py:read_file_as_root: 'cat', file_path
# (called from nova/virt/disk/vfs/localfs.py:VFSLocalFS.read_file)
read_passwd: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/passwd
read_shadow: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/shadow