1192641 – Harden rootwrap config

Bug 1192641 - Harden rootwrap config

Summary: Harden rootwrap config

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-cinder
Sub Component:
Version:	7.0 (Kilo)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	ga
Target Release:	8.0 (Liberty)
Assignee:	Eric Harney
QA Contact:	lkuchlan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-02-13 22:30 UTC by Eric Harney
Modified:	2016-04-27 02:47 UTC (History)
CC List:	8 users (show)
Fixed In Version:	openstack-cinder-7.0.1-2.el7ost
Doc Type:	Enhancement
Doc Text:	With this release, in order to provide security isolation, the '/usr/local' path has been removed from the default Block Storage rootwrap configuration. As a result, the deployments relying on Block Storage service executing commands from the '/usr/local/' as the 'root' user will need to add configuration for the commands to work.
Clone Of:
Environment:
Last Closed:	2016-04-07 21:00:37 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2016:0603	0	normal	SHIPPED_LIVE	Red Hat OpenStack Platform 8 Enhancement Advisory	2016-04-08 00:53:53 UTC

Description Eric Harney 2015-02-13 22:30:03 UTC

Cinder upstream in Kilo has added paths /usr/local/bin and /usr/local/sbin to the rootwrap exec_paths in the default config.  We should remove these from the config shipped with RHOS Cinder as a security hardening measure and document how customers can add this if really needed.

Comment 7 lkuchlan 2016-01-25 14:31:38 UTC

Tested using:
python-cinder-7.0.1-5.el7ost.noarch
openstack-cinder-7.0.1-5.el7ost.noarch
python-cinderclient-1.4.0-1.el7ost.noarch

Results:

The paths /usr/local/bin and /usr/local/sbin have removed from rootwrap exec_paths in the default config

From rootwrap config:

[DEFAULT]
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin

Comment 9 errata-xmlrpc 2016-04-07 21:00:37 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-0603.html

Note You need to log in before you can comment on or make changes to this bug.