Pattern: Method call with run_as_root=True
Issue: -
Running commands as root dramatically increase their potential risk. Running
commands with restricted user privileges provides defense in depth against
command injection attacks, or developer and configuration error. This rule checks for specific methods being called with a keyword parameter run_as_root set to True, a common OpenStack idiom:
ceilometer.utils.executecinder.utils.executeneutron.agent.linux.utils.executenova.utils.executenova.utils.trycmd
Example of insecure code:
ceilometer_utils.execute('gcc --version', run_as_root=True)Example of secure code:
ceilometer_utils.execute('gcc --version', run_as_root=False)