Bug 1192641

Summary: Harden rootwrap config
Product: Red Hat OpenStack Reporter: Eric Harney <eharney>
Component: openstack-cinderAssignee: Eric Harney <eharney>
Status: CLOSED ERRATA QA Contact: lkuchlan <lkuchlan>
Severity: unspecified Docs Contact:
Priority: high    
Version: 7.0 (Kilo)CC: dnavale, eharney, gmollett, hguemar, jschluet, scohen, sgotliv, yeylon
Target Milestone: gaKeywords: Security
Target Release: 8.0 (Liberty)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-cinder-7.0.1-2.el7ost Doc Type: Enhancement
Doc Text:
With this release, in order to provide security isolation, the '/usr/local' path has been removed from the default Block Storage rootwrap configuration. As a result, the deployments relying on Block Storage service executing commands from the '/usr/local/' as the 'root' user will need to add configuration for the commands to work.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-04-07 21:00:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Eric Harney 2015-02-13 22:30:03 UTC 
Cinder upstream in Kilo has added paths /usr/local/bin and /usr/local/sbin to the rootwrap exec_paths in the default config.  We should remove these from the config shipped with RHOS Cinder as a security hardening measure and document how customers can add this if really needed.
Comment 7 lkuchlan 2016-01-25 14:31:38 UTC 
Tested using:
python-cinder-7.0.1-5.el7ost.noarch
openstack-cinder-7.0.1-5.el7ost.noarch
python-cinderclient-1.4.0-1.el7ost.noarch

Results:

The paths /usr/local/bin and /usr/local/sbin have removed from rootwrap exec_paths in the default config

From rootwrap config:

[DEFAULT]
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin
Comment 9 errata-xmlrpc 2016-04-07 21:00:37 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-0603.html