summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArata Notsu <notsu@virtualtech.jp>2013-01-11 18:04:45 +0900
committerArata Notsu <notsu@virtualtech.jp>2013-01-21 16:09:53 +0900
commit72da6199d233d7bd434e019a2d1b7275804eda3e (patch)
tree75e18c030c4ad80520865fd1f21435aaf659e080
parent8143021bdb5ec10ea60a6613e29bdc9347701a04 (diff)
Add rootwrap filters for password injection with localfs
Allow to 'sudo cat' to read passwd and shadow. bug 1098077 Change-Id: Ic734bd33223df879b5e1f144bb4c85702eb88dfa
Diffstat
-rw-r--r--etc/nova/rootwrap.d/compute.filters6
1 files changed, 6 insertions, 0 deletions
diff --git a/etc/nova/rootwrap.d/compute.filters b/etc/nova/rootwrap.d/compute.filters
index f344a1b1c..d64e71053 100644
--- a/etc/nova/rootwrap.d/compute.filters
+++ b/etc/nova/rootwrap.d/compute.filters
@@ -172,3 +172,9 @@ vgs: CommandFilter, /sbin/vgs, root
# nova/virt/baremetal/volume_driver.py: 'tgtadm', '--lld', 'iscsi', ...
tgtadm: CommandFilter, /usr/sbin/tgtadm, root
+
+# nova/utils.py:read_file_as_root: 'cat', file_path
+# (called from nova/virt/disk/vfs/localfs.py:VFSLocalFS.read_file)
+read_passwd: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/passwd
+read_shadow: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/shadow
+
generated by cgit (git 2.34.1) at 2026-03-17 07:13:59 +0000