CommandFilter does not allow validating full path command
Bug #1956606 reported by
David Vallee Delisle
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| oslo.rootwrap |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
If we use this configuration:
sftp_server: CommandFilter, /usr/libexec/
rootwrap can't validate full paths
~~~
# /usr/bin/
/usr/bin/
~~~
| Changed in oslo.rootwrap: | |
| status: | New → In Progress |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix merged to oslo.rootwrap (master) | #1 |
| Changed in oslo.rootwrap: | |
| status: | In Progress → Fix Released |
Revision history for this message
| Bogdan Dobrelya (bogdando) wrote | #2 |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix included in openstack/oslo.rootwrap 6.3.1 | #3 |
To post a comment you must log in.
Reviewed: https:/
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit 1b1b960d0d6b0dd
Author: David Vallee Delisle <email address hidden>
Date: Wed Jan 5 12:36:04 2022 -0500
CommandFilter should allow exec from full path
The current logic prevents from using a full path as argument.
We can't just compare basename to basename as it would allow passing
bogus paths. We need to make sure that passing a full path will compare
to the config's full path.
Closes-Bug: #1956606
Change-Id: I76094065de5b37