Add /usr/local/{sbin,bin} to rootwrap exec_dirs

Nova [1], Neutron [2,3] and Cinder's [4] rootwrap exec dirs include
/usr/local/{sbin,bin} which are a standardised locations for admins to
install non-distro executables, and these executables are no less
"trustworthy" than /usr/bin and friends.  See Neutron and Cinder's
rootwrap.conf (and probably others), and typical distro default values
for sudoers/secure_path for extremely similar precedents that all
include /usr/local/*bin.
Brief discussion of doing this via devstack available at [5].

Also, remove absolute paths from existing filters
to make this fix useful.

[1] I6a0a4b7f952193ce0f4ed2594613188854d36bf1
[2] Ib3646933744ca6b20ecd5ad0cedcedb4f1fa5f12
[3] Id7aebb50e60b1cc64c113be63c599387be5f1765
[4] I577e10df25181c7d4ca8189b10640a8e6e39b047
[5] I710cf142b834381c00e651cfc062299ae755c33f

Change-Id: Ie7177778a247a687ced846bb11030cb72344c93f
Closes-Bug: #1551956
This commit is contained in:
Chaozhe.Chen 2016-02-24 01:35:04 +08:00 committed by vponomaryov
parent f81bc489b8
commit 71f8d0f3df
2 changed files with 18 additions and 18 deletions

View File

@ -10,7 +10,7 @@ filters_path=/etc/manila/rootwrap.d,/usr/share/manila/rootwrap
# explicitely specify a full path (separated by ',') # explicitely specify a full path (separated by ',')
# If not specified, defaults to system PATH environment variable. # If not specified, defaults to system PATH environment variable.
# These directories MUST all be only writeable by root ! # These directories MUST all be only writeable by root !
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/lpp/mmfs/bin exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/sbin,/usr/local/bin,/usr/lpp/mmfs/bin
# Enable logging to syslog # Enable logging to syslog
# Default value is False # Default value is False

View File

@ -8,17 +8,17 @@ chown: CommandFilter, chown, root
cat: CommandFilter, cat, root cat: CommandFilter, cat, root
# manila/share/drivers/lvm.py: 'mkfs.ext4', '/dev/mapper/%s' # manila/share/drivers/lvm.py: 'mkfs.ext4', '/dev/mapper/%s'
mkfs.ext4: CommandFilter, /sbin/mkfs.ext4, root mkfs.ext4: CommandFilter, mkfs.ext4, root
# manila/share/drivers/lvm.py: 'mkfs.ext3', '/dev/mapper/%s' # manila/share/drivers/lvm.py: 'mkfs.ext3', '/dev/mapper/%s'
mkfs.ext3: CommandFilter, /sbin/mkfs.ext3, root mkfs.ext3: CommandFilter, mkfs.ext3, root
# manila/share/drivers/lvm.py: 'smbd', '-s', '%s', '-D' # manila/share/drivers/lvm.py: 'smbd', '-s', '%s', '-D'
smbd: CommandFilter, /usr/sbin/smbd, root smbd: CommandFilter, smbd, root
smb: CommandFilter, /usr/sbin/smb, root smb: CommandFilter, smb, root
# manila/share/drivers/lvm.py: 'rmdir', '%s' # manila/share/drivers/lvm.py: 'rmdir', '%s'
rmdir: CommandFilter, /bin/rmdir, root rmdir: CommandFilter, rmdir, root
# manila/share/drivers/lvm.py: 'dd' 'count=0', 'if=%s' % srcstr, 'of=%s' # manila/share/drivers/lvm.py: 'dd' 'count=0', 'if=%s' % srcstr, 'of=%s'
dd: CommandFilter, dd, root dd: CommandFilter, dd, root
@ -30,13 +30,13 @@ fsck: CommandFilter, fsck, root
resize2fs: CommandFilter, resize2fs, root resize2fs: CommandFilter, resize2fs, root
# manila/share/drivers/helpers.py: 'smbcontrol', 'all', 'close-share', '%s' # manila/share/drivers/helpers.py: 'smbcontrol', 'all', 'close-share', '%s'
smbcontrol: CommandFilter, /usr/bin/smbcontrol, root smbcontrol: CommandFilter, smbcontrol, root
# manila/share/drivers/helpers.py: 'net', 'conf', 'addshare', '%s', '%s', 'writeable=y', 'guest_ok=y # manila/share/drivers/helpers.py: 'net', 'conf', 'addshare', '%s', '%s', 'writeable=y', 'guest_ok=y
# manila/share/drivers/helpers.py: 'net', 'conf', 'delshare', '%s' # manila/share/drivers/helpers.py: 'net', 'conf', 'delshare', '%s'
# manila/share/drivers/helpers.py: 'net', 'conf', 'setparm', '%s', '%s', '%s' # manila/share/drivers/helpers.py: 'net', 'conf', 'setparm', '%s', '%s', '%s'
# manila/share/drivers/helpers.py: 'net', 'conf', 'getparm', '%s', 'hosts allow' # manila/share/drivers/helpers.py: 'net', 'conf', 'getparm', '%s', 'hosts allow'
net: CommandFilter, /usr/bin/net, root net: CommandFilter, net, root
# manila/share/drivers/lvm.py: 'lvremove', '-f', "%s/%s # manila/share/drivers/lvm.py: 'lvremove', '-f', "%s/%s
lvremove: CommandFilter, lvremove, root lvremove: CommandFilter, lvremove, root
@ -81,23 +81,23 @@ umount: CommandFilter, umount, root
# GPFS commands # GPFS commands
# manila/share/drivers/ibm/gpfs.py: 'mmgetstate', '-Y' # manila/share/drivers/ibm/gpfs.py: 'mmgetstate', '-Y'
mmgetstate: CommandFilter, /usr/lpp/mmfs/bin/mmgetstate, root mmgetstate: CommandFilter, mmgetstate, root
# manila/share/drivers/ibm/gpfs.py: 'mmlsattr', '%s' # manila/share/drivers/ibm/gpfs.py: 'mmlsattr', '%s'
mmlsattr: CommandFilter, /usr/lpp/mmfs/bin/mmlsattr, root mmlsattr: CommandFilter, mmlsattr, root
# manila/share/drivers/ibm/gpfs.py: 'mmcrfileset', '%s', '%s', '--inode-space', 'new' # manila/share/drivers/ibm/gpfs.py: 'mmcrfileset', '%s', '%s', '--inode-space', 'new'
mmcrfileset: CommandFilter, /usr/lpp/mmfs/bin/mmcrfileset, root mmcrfileset: CommandFilter, mmcrfileset, root
# manila/share/drivers/ibm/gpfs.py: 'mmlinkfileset', '%s', '%s', '-J', '%s' # manila/share/drivers/ibm/gpfs.py: 'mmlinkfileset', '%s', '%s', '-J', '%s'
mmlinkfileset: CommandFilter, /usr/lpp/mmfs/bin/mmlinkfileset, root mmlinkfileset: CommandFilter, mmlinkfileset, root
# manila/share/drivers/ibm/gpfs.py: 'mmsetquota', '-j', '%s', '-h', '%s', '%s' # manila/share/drivers/ibm/gpfs.py: 'mmsetquota', '-j', '%s', '-h', '%s', '%s'
mmsetquota: CommandFilter, /usr/lpp/mmfs/bin/mmsetquota, root mmsetquota: CommandFilter, mmsetquota, root
# manila/share/drivers/ibm/gpfs.py: 'mmunlinkfileset', '%s', '%s', '-f' # manila/share/drivers/ibm/gpfs.py: 'mmunlinkfileset', '%s', '%s', '-f'
mmunlinkfileset: CommandFilter, /usr/lpp/mmfs/bin/mmunlinkfileset, root mmunlinkfileset: CommandFilter, mmunlinkfileset, root
# manila/share/drivers/ibm/gpfs.py: 'mmdelfileset', '%s', '%s', '-f' # manila/share/drivers/ibm/gpfs.py: 'mmdelfileset', '%s', '%s', '-f'
mmdelfileset: CommandFilter, /usr/lpp/mmfs/bin/mmdelfileset, root mmdelfileset: CommandFilter, mmdelfileset, root
# manila/share/drivers/ibm/gpfs.py: 'mmcrsnapshot', '%s', '%s', '-j', '%s' # manila/share/drivers/ibm/gpfs.py: 'mmcrsnapshot', '%s', '%s', '-j', '%s'
mmcrsnapshot: CommandFilter, /usr/lpp/mmfs/bin/mmcrsnapshot, root mmcrsnapshot: CommandFilter, mmcrsnapshot, root
# manila/share/drivers/ibm/gpfs.py: 'mmdelsnapshot', '%s', '%s', '-j', '%s' # manila/share/drivers/ibm/gpfs.py: 'mmdelsnapshot', '%s', '%s', '-j', '%s'
mmdelsnapshot: CommandFilter, /usr/lpp/mmfs/bin/mmdelsnapshot, root mmdelsnapshot: CommandFilter, mmdelsnapshot, root
# manila/share/drivers/ibm/gpfs.py: 'rsync', '-rp', '%s', '%s' # manila/share/drivers/ibm/gpfs.py: 'rsync', '-rp', '%s', '%s'
rsync: CommandFilter, rsync, root rsync: CommandFilter, rsync, root
# manila/share/drivers/ibm/gpfs.py: 'exportfs' # manila/share/drivers/ibm/gpfs.py: 'exportfs'
@ -147,7 +147,7 @@ zpool: CommandFilter, zpool, root
zfs: CommandFilter, zfs, root zfs: CommandFilter, zfs, root
# manila/share/drivers/zfsonlinux/driver.py # manila/share/drivers/zfsonlinux/driver.py
nsenter: CommandFilter, /usr/local/bin/nsenter, root nsenter: CommandFilter, nsenter, root
# LXD driver commands # LXD driver commands
# manila/share/drivers/lxd.py # manila/share/drivers/lxd.py