openstack/nova - nova - OpenDev: Free Software Needs Free Tools

A more secure root-wrapper alternative Alternative to using a sudoers file to limit which commands can be run as root in Nova. This one makes use of command filters defined in Nova code itself, which can be customized to deeply inspect command arguments before allowing a command to be executed. This change puts the infrastructure in place, together with command filters that replicate the level of filtering provided by a sudoers file (no deep argument inspection yet). An example of an advanced filter (RegExpFilter) is also provided. This new root wrapper is not active by default (root_helper still defaults to "sudo"). Implements blueprint nova-rootwrap. Change-Id: I7ad723b55e9446758876f21b4fbb09374a910425

2011年11月21日 16:28:02 +01:00

#!/usr/bin/env python

# vim: tabstop=4 shiftwidth=4 softtabstop=4

OpenStack capitalization added to HACKING.rst Along with capitalization fixes to comments in code Change-Id: I72ddc582001f80d954ca5a121903c689f40d08d1

2012年08月16日 13:34:17 -05:00

A more secure root-wrapper alternative Alternative to using a sudoers file to limit which commands can be run as root in Nova. This one makes use of command filters defined in Nova code itself, which can be customized to deeply inspect command arguments before allowing a command to be executed. This change puts the infrastructure in place, together with command filters that replicate the level of filtering provided by a sudoers file (no deep argument inspection yet). An example of an advanced filter (RegExpFilter) is also provided. This new root wrapper is not active by default (root_helper still defaults to "sudo"). Implements blueprint nova-rootwrap. Change-Id: I7ad723b55e9446758876f21b4fbb09374a910425

2011年11月21日 16:28:02 +01:00

#

# Licensed under the Apache License, Version 2.0 (the "License"); you may

# not use this file except in compliance with the License. You may obtain

# a copy of the License at

#

# http://www.apache.org/licenses/LICENSE-2.0

#

# Unless required by applicable law or agreed to in writing, software

# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT

# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the

# License for the specific language governing permissions and limitations

# under the License.

"""Root wrapper for Nova

Move rootwrap filters definition to config files Move rootwrap filters definition from being defined within Nova code to being defined in configuration files to facilitate pluging-in new rootwrap commands. Transition notes: * nova-rootwrap now requires an additional (first) parameter pointing to the root-owned rootwrap.conf file, sudoers needs to be updated to specify that ("nova-rootwrap /etc/nova/rootwrap.conf *") * Packagers should ship {compute,network,volume}.filters inside a directory listed in rootwrap.conf rather than shipping nova/rootwrap/{compute,network,volume}.py * Filter definitions now only support strings. The KillFilter (which was using arrays as parameters) was modified and the tests updated. Implements bp nova-rootwrap-pluggable-filters Corresponding devstack change needs to land first, so that tests pass: https://review.openstack.org/8842 Change-Id: I2350154cd8057bd57926ed542de035626f7de37d

2012年06月06日 14:23:24 +02:00

Filters which commands nova is allowed to run as another user.

A more secure root-wrapper alternative Alternative to using a sudoers file to limit which commands can be run as root in Nova. This one makes use of command filters defined in Nova code itself, which can be customized to deeply inspect command arguments before allowing a command to be executed. This change puts the infrastructure in place, together with command filters that replicate the level of filtering provided by a sudoers file (no deep argument inspection yet). An example of an advanced filter (RegExpFilter) is also provided. This new root wrapper is not active by default (root_helper still defaults to "sudo"). Implements blueprint nova-rootwrap. Change-Id: I7ad723b55e9446758876f21b4fbb09374a910425

2011年11月21日 16:28:02 +01:00

Move rootwrap filters definition to config files Move rootwrap filters definition from being defined within Nova code to being defined in configuration files to facilitate pluging-in new rootwrap commands. Transition notes: * nova-rootwrap now requires an additional (first) parameter pointing to the root-owned rootwrap.conf file, sudoers needs to be updated to specify that ("nova-rootwrap /etc/nova/rootwrap.conf *") * Packagers should ship {compute,network,volume}.filters inside a directory listed in rootwrap.conf rather than shipping nova/rootwrap/{compute,network,volume}.py * Filter definitions now only support strings. The KillFilter (which was using arrays as parameters) was modified and the tests updated. Implements bp nova-rootwrap-pluggable-filters Corresponding devstack change needs to land first, so that tests pass: https://review.openstack.org/8842 Change-Id: I2350154cd8057bd57926ed542de035626f7de37d

2012年06月06日 14:23:24 +02:00

To use this, you should set the following in nova.conf:

Deprecate root_helper in favor of rootwrap_config Mark the root_helper option deprecated and introduce usage of the rootwrap_config option instead. The root_helper option will still fully be supported in Folsom, but will be removed in Grizzly. Transition notes: you should replace: root_helper=sudo nova-rootwrap /etc/nova/rootwrap.conf by: rootwrap_config=/etc/nova/rootwrap.conf Implements bp deprecate-root-helper Change-Id: I8dfc94e9b91f7ffc82d393b345f09409da347e78

2012年08月01日 14:44:28 +02:00

rootwrap_config=/etc/nova/rootwrap.conf

Move rootwrap filters definition to config files Move rootwrap filters definition from being defined within Nova code to being defined in configuration files to facilitate pluging-in new rootwrap commands. Transition notes: * nova-rootwrap now requires an additional (first) parameter pointing to the root-owned rootwrap.conf file, sudoers needs to be updated to specify that ("nova-rootwrap /etc/nova/rootwrap.conf *") * Packagers should ship {compute,network,volume}.filters inside a directory listed in rootwrap.conf rather than shipping nova/rootwrap/{compute,network,volume}.py * Filter definitions now only support strings. The KillFilter (which was using arrays as parameters) was modified and the tests updated. Implements bp nova-rootwrap-pluggable-filters Corresponding devstack change needs to land first, so that tests pass: https://review.openstack.org/8842 Change-Id: I2350154cd8057bd57926ed542de035626f7de37d

2012年06月06日 14:23:24 +02:00

You also need to let the nova user run nova-rootwrap as root in sudoers:

nova ALL = (root) NOPASSWD: /usr/bin/nova-rootwrap /etc/nova/rootwrap.conf *

A more secure root-wrapper alternative Alternative to using a sudoers file to limit which commands can be run as root in Nova. This one makes use of command filters defined in Nova code itself, which can be customized to deeply inspect command arguments before allowing a command to be executed. This change puts the infrastructure in place, together with command filters that replicate the level of filtering provided by a sudoers file (no deep argument inspection yet). An example of an advanced filter (RegExpFilter) is also provided. This new root wrapper is not active by default (root_helper still defaults to "sudo"). Implements blueprint nova-rootwrap. Change-Id: I7ad723b55e9446758876f21b4fbb09374a910425

2011年11月21日 16:28:02 +01:00

To make allowed commands node-specific, your packaging should only

Move rootwrap filters definition to config files Move rootwrap filters definition from being defined within Nova code to being defined in configuration files to facilitate pluging-in new rootwrap commands. Transition notes: * nova-rootwrap now requires an additional (first) parameter pointing to the root-owned rootwrap.conf file, sudoers needs to be updated to specify that ("nova-rootwrap /etc/nova/rootwrap.conf *") * Packagers should ship {compute,network,volume}.filters inside a directory listed in rootwrap.conf rather than shipping nova/rootwrap/{compute,network,volume}.py * Filter definitions now only support strings. The KillFilter (which was using arrays as parameters) was modified and the tests updated. Implements bp nova-rootwrap-pluggable-filters Corresponding devstack change needs to land first, so that tests pass: https://review.openstack.org/8842 Change-Id: I2350154cd8057bd57926ed542de035626f7de37d

2012年06月06日 14:23:24 +02:00

install {compute,network,volume}.filters respectively on compute, network

and volume nodes (i.e. nova-api nodes should not have any of those files

installed).

A more secure root-wrapper alternative Alternative to using a sudoers file to limit which commands can be run as root in Nova. This one makes use of command filters defined in Nova code itself, which can be customized to deeply inspect command arguments before allowing a command to be executed. This change puts the infrastructure in place, together with command filters that replicate the level of filtering provided by a sudoers file (no deep argument inspection yet). An example of an advanced filter (RegExpFilter) is also provided. This new root wrapper is not active by default (root_helper still defaults to "sudo"). Implements blueprint nova-rootwrap. Change-Id: I7ad723b55e9446758876f21b4fbb09374a910425

2011年11月21日 16:28:02 +01:00

"""

Move rootwrap filters definition to config files Move rootwrap filters definition from being defined within Nova code to being defined in configuration files to facilitate pluging-in new rootwrap commands. Transition notes: * nova-rootwrap now requires an additional (first) parameter pointing to the root-owned rootwrap.conf file, sudoers needs to be updated to specify that ("nova-rootwrap /etc/nova/rootwrap.conf *") * Packagers should ship {compute,network,volume}.filters inside a directory listed in rootwrap.conf rather than shipping nova/rootwrap/{compute,network,volume}.py * Filter definitions now only support strings. The KillFilter (which was using arrays as parameters) was modified and the tests updated. Implements bp nova-rootwrap-pluggable-filters Corresponding devstack change needs to land first, so that tests pass: https://review.openstack.org/8842 Change-Id: I2350154cd8057bd57926ed542de035626f7de37d

2012年06月06日 14:23:24 +02:00

import ConfigParser

A more secure root-wrapper alternative Alternative to using a sudoers file to limit which commands can be run as root in Nova. This one makes use of command filters defined in Nova code itself, which can be customized to deeply inspect command arguments before allowing a command to be executed. This change puts the infrastructure in place, together with command filters that replicate the level of filtering provided by a sudoers file (no deep argument inspection yet). An example of an advanced filter (RegExpFilter) is also provided. This new root wrapper is not active by default (root_helper still defaults to "sudo"). Implements blueprint nova-rootwrap. Change-Id: I7ad723b55e9446758876f21b4fbb09374a910425

2011年11月21日 16:28:02 +01:00

import os

Restore SIGPIPE default action for subprocesses Python ignores SIGPIPE on startup, because it prefers to check every write and raise an IOError exception rather than taking the signal. Most Unix subprocesses don't expect to work this way. This patch (adapted from Colin Watson's post at http://tinyurl.com/2a7mzh5) sets SIGPIPE back to the default action for nova.utils.execute and nova-rootwrap created subprocesses. Fixes bug 1053364 Change-Id: I17e1629bb4ef4268515c6734ddb6e12746739c52

2012年09月20日 14:11:38 +02:00

import signal

A more secure root-wrapper alternative Alternative to using a sudoers file to limit which commands can be run as root in Nova. This one makes use of command filters defined in Nova code itself, which can be customized to deeply inspect command arguments before allowing a command to be executed. This change puts the infrastructure in place, together with command filters that replicate the level of filtering provided by a sudoers file (no deep argument inspection yet). An example of an advanced filter (RegExpFilter) is also provided. This new root wrapper is not active by default (root_helper still defaults to "sudo"). Implements blueprint nova-rootwrap. Change-Id: I7ad723b55e9446758876f21b4fbb09374a910425

2011年11月21日 16:28:02 +01:00

import subprocess

import sys

RC_UNAUTHORIZED = 99

RC_NOCOMMAND = 98

Move rootwrap filters definition to config files Move rootwrap filters definition from being defined within Nova code to being defined in configuration files to facilitate pluging-in new rootwrap commands. Transition notes: * nova-rootwrap now requires an additional (first) parameter pointing to the root-owned rootwrap.conf file, sudoers needs to be updated to specify that ("nova-rootwrap /etc/nova/rootwrap.conf *") * Packagers should ship {compute,network,volume}.filters inside a directory listed in rootwrap.conf rather than shipping nova/rootwrap/{compute,network,volume}.py * Filter definitions now only support strings. The KillFilter (which was using arrays as parameters) was modified and the tests updated. Implements bp nova-rootwrap-pluggable-filters Corresponding devstack change needs to land first, so that tests pass: https://review.openstack.org/8842 Change-Id: I2350154cd8057bd57926ed542de035626f7de37d

2012年06月06日 14:23:24 +02:00

RC_BADCONFIG = 97

Configurable exec_dirs to find rootwrap commands Adds support for a configurable set of trusted directories to search executables in (exec_dirs), which defaults to system PATH. If your filter specifies an exec_path that doesn't start with '/', then it will be searched in exec_dirs. Avoids having to write multiple filters to care for distro differences. Fixes bug 1079723. Also returns a specific error rather than try to run absent executables. Change-Id: Idab03bb0be6832a75ffeed4e78d25d0543f5caf9

2012年11月16日 15:50:01 +01:00

RC_NOEXECFOUND = 96

A more secure root-wrapper alternative Alternative to using a sudoers file to limit which commands can be run as root in Nova. This one makes use of command filters defined in Nova code itself, which can be customized to deeply inspect command arguments before allowing a command to be executed. This change puts the infrastructure in place, together with command filters that replicate the level of filtering provided by a sudoers file (no deep argument inspection yet). An example of an advanced filter (RegExpFilter) is also provided. This new root wrapper is not active by default (root_helper still defaults to "sudo"). Implements blueprint nova-rootwrap. Change-Id: I7ad723b55e9446758876f21b4fbb09374a910425

2011年11月21日 16:28:02 +01:00

Restore SIGPIPE default action for subprocesses Python ignores SIGPIPE on startup, because it prefers to check every write and raise an IOError exception rather than taking the signal. Most Unix subprocesses don't expect to work this way. This patch (adapted from Colin Watson's post at http://tinyurl.com/2a7mzh5) sets SIGPIPE back to the default action for nova.utils.execute and nova-rootwrap created subprocesses. Fixes bug 1053364 Change-Id: I17e1629bb4ef4268515c6734ddb6e12746739c52

2012年09月20日 14:11:38 +02:00

def _subprocess_setup():

# Python installs a SIGPIPE handler by default. This is usually not what

# non-Python subprocesses expect.

signal.signal(signal.SIGPIPE, signal.SIG_DFL)

A more secure root-wrapper alternative Alternative to using a sudoers file to limit which commands can be run as root in Nova. This one makes use of command filters defined in Nova code itself, which can be customized to deeply inspect command arguments before allowing a command to be executed. This change puts the infrastructure in place, together with command filters that replicate the level of filtering provided by a sudoers file (no deep argument inspection yet). An example of an advanced filter (RegExpFilter) is also provided. This new root wrapper is not active by default (root_helper still defaults to "sudo"). Implements blueprint nova-rootwrap. Change-Id: I7ad723b55e9446758876f21b4fbb09374a910425

2011年11月21日 16:28:02 +01:00

if __name__ == '__main__':

# Split arguments, require at least a command

execname = sys.argv.pop(0)

Move rootwrap filters definition to config files Move rootwrap filters definition from being defined within Nova code to being defined in configuration files to facilitate pluging-in new rootwrap commands. Transition notes: * nova-rootwrap now requires an additional (first) parameter pointing to the root-owned rootwrap.conf file, sudoers needs to be updated to specify that ("nova-rootwrap /etc/nova/rootwrap.conf *") * Packagers should ship {compute,network,volume}.filters inside a directory listed in rootwrap.conf rather than shipping nova/rootwrap/{compute,network,volume}.py * Filter definitions now only support strings. The KillFilter (which was using arrays as parameters) was modified and the tests updated. Implements bp nova-rootwrap-pluggable-filters Corresponding devstack change needs to land first, so that tests pass: https://review.openstack.org/8842 Change-Id: I2350154cd8057bd57926ed542de035626f7de37d

2012年06月06日 14:23:24 +02:00

if len(sys.argv) < 2:

A more secure root-wrapper alternative Alternative to using a sudoers file to limit which commands can be run as root in Nova. This one makes use of command filters defined in Nova code itself, which can be customized to deeply inspect command arguments before allowing a command to be executed. This change puts the infrastructure in place, together with command filters that replicate the level of filtering provided by a sudoers file (no deep argument inspection yet). An example of an advanced filter (RegExpFilter) is also provided. This new root wrapper is not active by default (root_helper still defaults to "sudo"). Implements blueprint nova-rootwrap. Change-Id: I7ad723b55e9446758876f21b4fbb09374a910425

2011年11月21日 16:28:02 +01:00

print "%s: %s" % (execname, "No command specified")

sys.exit(RC_NOCOMMAND)

Move rootwrap filters definition to config files Move rootwrap filters definition from being defined within Nova code to being defined in configuration files to facilitate pluging-in new rootwrap commands. Transition notes: * nova-rootwrap now requires an additional (first) parameter pointing to the root-owned rootwrap.conf file, sudoers needs to be updated to specify that ("nova-rootwrap /etc/nova/rootwrap.conf *") * Packagers should ship {compute,network,volume}.filters inside a directory listed in rootwrap.conf rather than shipping nova/rootwrap/{compute,network,volume}.py * Filter definitions now only support strings. The KillFilter (which was using arrays as parameters) was modified and the tests updated. Implements bp nova-rootwrap-pluggable-filters Corresponding devstack change needs to land first, so that tests pass: https://review.openstack.org/8842 Change-Id: I2350154cd8057bd57926ed542de035626f7de37d

2012年06月06日 14:23:24 +02:00

configfile = sys.argv.pop(0)

A more secure root-wrapper alternative Alternative to using a sudoers file to limit which commands can be run as root in Nova. This one makes use of command filters defined in Nova code itself, which can be customized to deeply inspect command arguments before allowing a command to be executed. This change puts the infrastructure in place, together with command filters that replicate the level of filtering provided by a sudoers file (no deep argument inspection yet). An example of an advanced filter (RegExpFilter) is also provided. This new root wrapper is not active by default (root_helper still defaults to "sudo"). Implements blueprint nova-rootwrap. Change-Id: I7ad723b55e9446758876f21b4fbb09374a910425

2011年11月21日 16:28:02 +01:00

userargs = sys.argv[:]

Move rootwrap filters definition to config files Move rootwrap filters definition from being defined within Nova code to being defined in configuration files to facilitate pluging-in new rootwrap commands. Transition notes: * nova-rootwrap now requires an additional (first) parameter pointing to the root-owned rootwrap.conf file, sudoers needs to be updated to specify that ("nova-rootwrap /etc/nova/rootwrap.conf *") * Packagers should ship {compute,network,volume}.filters inside a directory listed in rootwrap.conf rather than shipping nova/rootwrap/{compute,network,volume}.py * Filter definitions now only support strings. The KillFilter (which was using arrays as parameters) was modified and the tests updated. Implements bp nova-rootwrap-pluggable-filters Corresponding devstack change needs to land first, so that tests pass: https://review.openstack.org/8842 Change-Id: I2350154cd8057bd57926ed542de035626f7de37d

2012年06月06日 14:23:24 +02:00

# Load configuration

config = ConfigParser.RawConfigParser()

config.read(configfile)

try:

filters_path = config.get("DEFAULT", "filters_path").split(",")

Configurable exec_dirs to find rootwrap commands Adds support for a configurable set of trusted directories to search executables in (exec_dirs), which defaults to system PATH. If your filter specifies an exec_path that doesn't start with '/', then it will be searched in exec_dirs. Avoids having to write multiple filters to care for distro differences. Fixes bug 1079723. Also returns a specific error rather than try to run absent executables. Change-Id: Idab03bb0be6832a75ffeed4e78d25d0543f5caf9

2012年11月16日 15:50:01 +01:00

if config.has_option("DEFAULT", "exec_dirs"):

exec_dirs = config.get("DEFAULT", "exec_dirs").split(",")

else:

# Use system PATH if exec_dirs is not specified

exec_dirs = os.environ["PATH"].split(':')

Move rootwrap filters definition to config files Move rootwrap filters definition from being defined within Nova code to being defined in configuration files to facilitate pluging-in new rootwrap commands. Transition notes: * nova-rootwrap now requires an additional (first) parameter pointing to the root-owned rootwrap.conf file, sudoers needs to be updated to specify that ("nova-rootwrap /etc/nova/rootwrap.conf *") * Packagers should ship {compute,network,volume}.filters inside a directory listed in rootwrap.conf rather than shipping nova/rootwrap/{compute,network,volume}.py * Filter definitions now only support strings. The KillFilter (which was using arrays as parameters) was modified and the tests updated. Implements bp nova-rootwrap-pluggable-filters Corresponding devstack change needs to land first, so that tests pass: https://review.openstack.org/8842 Change-Id: I2350154cd8057bd57926ed542de035626f7de37d

2012年06月06日 14:23:24 +02:00

except ConfigParser.Error:

print "%s: Incorrect configuration file: %s" % (execname, configfile)

sys.exit(RC_BADCONFIG)

A more secure root-wrapper alternative Alternative to using a sudoers file to limit which commands can be run as root in Nova. This one makes use of command filters defined in Nova code itself, which can be customized to deeply inspect command arguments before allowing a command to be executed. This change puts the infrastructure in place, together with command filters that replicate the level of filtering provided by a sudoers file (no deep argument inspection yet). An example of an advanced filter (RegExpFilter) is also provided. This new root wrapper is not active by default (root_helper still defaults to "sudo"). Implements blueprint nova-rootwrap. Change-Id: I7ad723b55e9446758876f21b4fbb09374a910425

2011年11月21日 16:28:02 +01:00

# Add ../ to sys.path to allow running from branch

possible_topdir = os.path.normpath(os.path.join(os.path.abspath(execname),

os.pardir, os.pardir))

if os.path.exists(os.path.join(possible_topdir, "nova", "__init__.py")):

sys.path.insert(0, possible_topdir)

from nova.rootwrap import wrapper

# Execute command if it matches any of the loaded filters

Move rootwrap filters definition to config files Move rootwrap filters definition from being defined within Nova code to being defined in configuration files to facilitate pluging-in new rootwrap commands. Transition notes: * nova-rootwrap now requires an additional (first) parameter pointing to the root-owned rootwrap.conf file, sudoers needs to be updated to specify that ("nova-rootwrap /etc/nova/rootwrap.conf *") * Packagers should ship {compute,network,volume}.filters inside a directory listed in rootwrap.conf rather than shipping nova/rootwrap/{compute,network,volume}.py * Filter definitions now only support strings. The KillFilter (which was using arrays as parameters) was modified and the tests updated. Implements bp nova-rootwrap-pluggable-filters Corresponding devstack change needs to land first, so that tests pass: https://review.openstack.org/8842 Change-Id: I2350154cd8057bd57926ed542de035626f7de37d

2012年06月06日 14:23:24 +02:00

filters = wrapper.load_filters(filters_path)

Configurable exec_dirs to find rootwrap commands Adds support for a configurable set of trusted directories to search executables in (exec_dirs), which defaults to system PATH. If your filter specifies an exec_path that doesn't start with '/', then it will be searched in exec_dirs. Avoids having to write multiple filters to care for distro differences. Fixes bug 1079723. Also returns a specific error rather than try to run absent executables. Change-Id: Idab03bb0be6832a75ffeed4e78d25d0543f5caf9

2012年11月16日 15:50:01 +01:00

try:

filtermatch = wrapper.match_filter(filters, userargs,

exec_dirs=exec_dirs)

if filtermatch:

obj = subprocess.Popen(filtermatch.get_command(userargs,

exec_dirs=exec_dirs),

stdin=sys.stdin,

stdout=sys.stdout,

stderr=sys.stderr,

preexec_fn=_subprocess_setup,

env=filtermatch.get_environment(userargs))

obj.wait()

sys.exit(obj.returncode)

except wrapper.FilterMatchNotExecutable as exc:

print "Executable not found: %s" % exc.match.exec_path

sys.exit(RC_NOEXECFOUND)

except wrapper.NoFilterMatched:

print "Unauthorized command: %s" % ' '.join(userargs)

sys.exit(RC_UNAUTHORIZED)

openstack/nova - nova - OpenDev: Free Software Needs Free Tools

109 lines 3.8 KiB Plaintext Raw Normal View History Unescape Escape

109 lines

3.8 KiB

Plaintext

Raw Normal View History