Commit 58389f18 authored by Chaozhe.Chen's avatar Chaozhe.Chen

Add /usr/local/{sbin,bin} to rootwrap exec_dirs

I noticed that nova, neutron and cinder's rootwrap exec_dirs include
/usr/local/{sbin,bin} which is a standardised location for admins to
install non-distro executables, and these executables are no less
"trustworthy" than /usr/bin and friends.  See neutron and cinder's
rootwrap.conf (and probably others), and typical distro default values
for sudoers/secure_path for extremely similar precedents that all include
/usr/local/*bin.

See the same patch of nova for more information:
https://review.openstack.org/#/c/280052/1
And see I710cf142b834381c00e651cfc062299ae755c33f for brief discussion
of doing this via devstack before.

Change-Id: If5ed1d7d81fdac10fc2b1608aafe20833e0f2980
parent 08433892
......@@ -10,7 +10,7 @@ filters_path=/etc/ceilometer/rootwrap.d,/usr/share/ceilometer/rootwrap
# explicitely specify a full path (separated by ',')
# If not specified, defaults to system PATH environment variable.
# These directories MUST all be only writeable by root !
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/sbin,/usr/local/bin
# Enable logging to syslog
# Default value is False
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment