You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@cloudstack.apache.org by "Rohit Yadav (JIRA)" <ji...@apache.org> on 2013/02/11 12:23:12 UTC

[jira] [Commented] (CLOUDSTACK-967) security hazard: passwordless root sudo for cloud user

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-967?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13575736#comment-13575736 ] 

Rohit Yadav commented on CLOUDSTACK-967:
----------------------------------------

Holy hazard, we need to fix it. maybe make the folders/files/paths write-able for the user 'cloud'?
                
> security hazard: passwordless root sudo for cloud user
> ------------------------------------------------------
>
>                 Key: CLOUDSTACK-967
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-967
>             Project: CloudStack
>          Issue Type: Improvement
>      Security Level: Public(Anyone can view this level - this is the default.) 
>            Reporter: Noa Resare
>              Labels: security
>
> When running the setup-cloud-management program, it installs a terrible entry in the file /etc/sudoers:
> cloud ALL =NOPASSWD : ALL
> To the uninitiated: this means that the user 'cloud' can become root without supplying a password via the sudo facility.
> This is obviously very, very bad from a security perspective. Any security vulnerability where an attacker (remote or local) can trick the cloudstack server component to execute arbitrary tasks immediately escalates into root access.
> Let's figure out what permissions cloudstack actually needs and fix this.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira