From 72da6199d233d7bd434e019a2d1b7275804eda3e Mon Sep 17 00:00:00 2001 From: Arata Notsu Date: Fri, 11 Jan 2013 18:04:45 +0900 Subject: [PATCH] Add rootwrap filters for password injection with localfs Allow to 'sudo cat' to read passwd and shadow. bug 1098077 Change-Id: Ic734bd33223df879b5e1f144bb4c85702eb88dfa --- etc/nova/rootwrap.d/compute.filters | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/etc/nova/rootwrap.d/compute.filters b/etc/nova/rootwrap.d/compute.filters index f344a1b1c5fe..d64e71053de7 100644 --- a/etc/nova/rootwrap.d/compute.filters +++ b/etc/nova/rootwrap.d/compute.filters @@ -172,3 +172,9 @@ vgs: CommandFilter, /sbin/vgs, root # nova/virt/baremetal/volume_driver.py: 'tgtadm', '--lld', 'iscsi', ... tgtadm: CommandFilter, /usr/sbin/tgtadm, root + +# nova/utils.py:read_file_as_root: 'cat', file_path +# (called from nova/virt/disk/vfs/localfs.py:VFSLocalFS.read_file) +read_passwd: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/passwd +read_shadow: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/shadow +