OpenStack release manager Thierry Carrez examines OpenStack Nova's current privilege model and how it's being improved with the root_helper option.

Right now, OpenStack uses sudo to escalate privileges when it needs to run a root command. The problem with this, says Thierry, is that sudo doesn't provide a way to efficiently filter commands, which could be used to exploit systems.

"As an example, the current nova_sudoers file contains commands like chown, kill, dd or tee, which are more than enough to compromise a target system completely," says Thierry.

To fix this, Thierry worked on a filter that gives Nova a configurable "root helper." By default, this is still sudo but it could be something else. The "something else" is what Thierry is working on now, and taking feedback as well.

The primary goals are:

  • Provide a command filter that checks arguments as well as commands run.
  • Provide a way to run as users other than root when root privileges aren't necessary.
  • Separate filters by the type of node running Nova, as not all nodes need to run root commands at all.

Thierry is working on a Python based implementation of this, and looking for feedback on other necessary features. Any other features that Thierry should be looking at?