Do not hardcode /bin/kill and /bin/cat
Bug #1519839 reported by
Domen Kožar
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
oslo.rootwrap |
Confirmed
|
Wishlist
|
Unassigned |
Bug Description
Filters have hardcoded /bin/kill and /bin/cat paths. That's unfortunate as that might not be the desired path.
As I understand exec_dirs should limit the path of executables so filters have no need to hardcode paths.
To post a comment you must log in.
The /bin/cat hard-coding appears to be just a convenience filter, and if you make it configurable it turns into essentially CommandFilter.
KillFilter appears to have actual logic related to killing processes though, so I could see an argument to make that configurable.
I should also note that we are encouraging people to move to oslo.privsep instead of oslo.rootwrap. There's much less chance of operator error exposing security holes with privsep.