Scripting4U Blog Bringing you the hottest news facts everyday

26Nov/110

Improving How OpenStack Nova Runs Privileged Commands

Thumbnail image for OpenStack logoOpenStack release manager Thierry Carrez examines OpenStack Nova's current privilege model and how it's being improved with the root_helper option.

Right now, OpenStack uses sudo to escalate privileges when it needs to run a root command. The problem with this, says Thierry, is that sudo doesn't provide a way to efficiently filter commands, which could be used to exploit systems.

Sponsor

"As an example, the current nova_sudoers file contains commands like chown, kill, dd or tee, which are more than enough to compromise a target system completely," says Thierry.

To fix this, Thierry worked on a filter that gives Nova a configurable "root helper." By default, this is still sudo but it could be something else. The "something else" is what Thierry is working on now, and taking feedback as well.

The primary goals are:

  • Provide a command filter that checks arguments as well as commands run.
  • Provide a way to run as users other than root when root privileges aren't necessary.
  • Separate filters by the type of node running Nova, as not all nodes need to run root commands at all.

Thierry is working on a Python based implementation of this, and looking for feedback on other necessary features. Any other features that Thierry should be looking at?

Discuss



Related posts:

  1. 3 More OpenStack Announcements from OSCon: HP Joins OpenStack and More In addition to the launch of Nebula, ex-NASA CTO Chris Kemp's OpenStack-based startup which we...
  2. OpenStack Essex Focuses on Being Production-Ready It's official. The OpenStack Essex release has hit the wire. The OpenStack 2012.1 release includes...
  3. Brian Stevens on Red Hat’s Involvement with OpenStack Red Hat has been involved with OpenStack development for some time. Unlike the bulk of...
  4. Netflix in Talks to Revive TERRA NOVA Reports on the cancellation of Terra Nova came with the requisite noise of the studio...
  5. Rackspace Eats Its Own Dog Food With OpenStack The Rackspace Cloud will begin practicing what it preaches and transition to OpenStack. The announcement...
Filed under: Web Leave a comment
Comments (0) Trackbacks (0)

No comments yet.


Leave a comment

Trackbacks are disabled.

» «

Sponsors

Categories

Archive

Meta