Return-Path: X-Original-To: apmail-cloudstack-commits-archive@www.apache.org Delivered-To: apmail-cloudstack-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 90BE91035A for ; Wed, 23 Oct 2013 21:14:03 +0000 (UTC) Received: (qmail 28033 invoked by uid 500); 23 Oct 2013 21:13:49 -0000 Delivered-To: apmail-cloudstack-commits-archive@cloudstack.apache.org Received: (qmail 27946 invoked by uid 500); 23 Oct 2013 21:13:47 -0000 Mailing-List: contact commits-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list commits@cloudstack.apache.org Received: (qmail 27912 invoked by uid 99); 23 Oct 2013 21:13:46 -0000 Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org) (140.211.11.114) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 23 Oct 2013 21:13:46 +0000 Received: by tyr.zones.apache.org (Postfix, from userid 65534) id A3512319EAB; Wed, 23 Oct 2013 21:13:45 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: jlk@apache.org To: commits@cloudstack.apache.org Date: Wed, 23 Oct 2013 21:13:45 -0000 Message-Id: <7af48f1d1e0f423e9f99b52a6a2e22df@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: [1/2] git commit: updated refs/heads/master to 13362ae Updated Branches: refs/heads/master 9f38614eb -> 13362aee6 Summary: Updated sudoers approved commands for cloud user Detail: Previously the cloud user has full password-less sudo access. This commit changes that to only allow access to a specific list of commands. Been tested in production on ACS 4.0 and 4.2 mangement servers. BUG-ID: CLOUDSTACK-967 Bugfix-for: Reviewed-by: Reported-by: Signed-off-by: John Kinsella 1382560936 -0700 Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/45e4d4fc Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/45e4d4fc Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/45e4d4fc Branch: refs/heads/master Commit: 45e4d4fc3bb52f73eb6e687a144cd48587fad2d4 Parents: 5133812 Author: John Kinsella Authored: Wed Oct 23 13:42:16 2013 -0700 Committer: John Kinsella Committed: Wed Oct 23 13:42:16 2013 -0700 ---------------------------------------------------------------------- python/lib/cloudutils/serviceConfig.py | 2 +- server/conf/cloudstack-sudoers.in | 2 +- tools/appliance/definitions/devcloud/base.sh | 2 +- tools/appliance/definitions/systemvm64template/base.sh | 2 +- tools/appliance/definitions/systemvm64template/postinstall.sh | 2 +- tools/appliance/definitions/systemvmtemplate/base.sh | 2 +- tools/appliance/definitions/systemvmtemplate/postinstall.sh | 2 +- tools/devcloud/src/deps/boxes/basebox-build/postinstall.sh | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/45e4d4fc/python/lib/cloudutils/serviceConfig.py ---------------------------------------------------------------------- diff --git a/python/lib/cloudutils/serviceConfig.py b/python/lib/cloudutils/serviceConfig.py index 5c552c0..4ed9a57 100755 --- a/python/lib/cloudutils/serviceConfig.py +++ b/python/lib/cloudutils/serviceConfig.py @@ -727,7 +727,7 @@ class sudoersConfig(serviceCfgBase): def config(self): try: cfo = configFileOps("/etc/sudoers", self) - cfo.addEntry("cloud ALL ", "NOPASSWD : ALL") + cfo.addEntry("cloud ALL ", "NOPASSWD : /bin/chmod, /bin/cp, /bin/mkdir, /bin/mount, /bin/umount") cfo.rmEntry("Defaults", "requiretty", " ") cfo.save() return True http://git-wip-us.apache.org/repos/asf/cloudstack/blob/45e4d4fc/server/conf/cloudstack-sudoers.in ---------------------------------------------------------------------- diff --git a/server/conf/cloudstack-sudoers.in b/server/conf/cloudstack-sudoers.in index dcfb17b..0690164 100644 --- a/server/conf/cloudstack-sudoers.in +++ b/server/conf/cloudstack-sudoers.in @@ -18,5 +18,5 @@ # The CloudStack management server needs sudo permissions # without a password. -@MSUSER@ ALL =NOPASSWD : ALL +@MSUSER@ ALL =NOPASSWD : /bin/chmod, /bin/cp, /bin/mkdir, /bin/mount, /bin/umount http://git-wip-us.apache.org/repos/asf/cloudstack/blob/45e4d4fc/tools/appliance/definitions/devcloud/base.sh ---------------------------------------------------------------------- diff --git a/tools/appliance/definitions/devcloud/base.sh b/tools/appliance/definitions/devcloud/base.sh index 122b389..7fec0fc 100644 --- a/tools/appliance/definitions/devcloud/base.sh +++ b/tools/appliance/definitions/devcloud/base.sh @@ -6,7 +6,7 @@ apt-get -y update apt-get -y install curl unzip apt-get clean -echo 'cloud ALL=NOPASSWD:ALL' > /etc/sudoers.d/cloud +echo 'cloud ALL=NOPASSWD:/bin/chmod, /bin/cp, /bin/mkdir, /bin/mount, /bin/umount' > /etc/sudoers.d/cloud # Tweak sshd to prevent DNS resolution (speed up logins) echo 'UseDNS no' >> /etc/ssh/sshd_config http://git-wip-us.apache.org/repos/asf/cloudstack/blob/45e4d4fc/tools/appliance/definitions/systemvm64template/base.sh ---------------------------------------------------------------------- diff --git a/tools/appliance/definitions/systemvm64template/base.sh b/tools/appliance/definitions/systemvm64template/base.sh index d6faea0..46c5db6 100644 --- a/tools/appliance/definitions/systemvm64template/base.sh +++ b/tools/appliance/definitions/systemvm64template/base.sh @@ -5,7 +5,7 @@ apt-get -y update apt-get -y install curl unzip # Set up sudo -echo 'vagrant ALL=NOPASSWD:ALL' > /etc/sudoers.d/vagrant +echo 'vagrant ALL=NOPASSWD:/bin/chmod, /bin/cp, /bin/mkdir, /bin/mount, /bin/umount' > /etc/sudoers.d/vagrant # Tweak sshd to prevent DNS resolution (speed up logins) echo 'UseDNS no' >> /etc/ssh/sshd_config http://git-wip-us.apache.org/repos/asf/cloudstack/blob/45e4d4fc/tools/appliance/definitions/systemvm64template/postinstall.sh ---------------------------------------------------------------------- diff --git a/tools/appliance/definitions/systemvm64template/postinstall.sh b/tools/appliance/definitions/systemvm64template/postinstall.sh index 9297731..d33b943 100644 --- a/tools/appliance/definitions/systemvm64template/postinstall.sh +++ b/tools/appliance/definitions/systemvm64template/postinstall.sh @@ -105,7 +105,7 @@ setup_accounts() { echo "root:$ROOTPW" | chpasswd echo "cloud:`openssl rand -base64 32`" | chpasswd sed -i -e '/Defaults\s\+env_reset/a Defaults\texempt_group=admin' /etc/sudoers - sed -i -e 's/%admin ALL=(ALL) ALL/%admin ALL=NOPASSWD:ALL/g' /etc/sudoers + sed -i -e 's/%admin ALL=(ALL) ALL/%admin ALL=NOPASSWD:/bin/chmod, /bin/cp, /bin/mkdir, /bin/mount, /bin/umount/g' /etc/sudoers # Disable password based authentication via ssh, this will take effect on next reboot sed -i -e 's/^.*PasswordAuthentication .*$/PasswordAuthentication no/g' /etc/ssh/sshd_config # Secure ~/.ssh http://git-wip-us.apache.org/repos/asf/cloudstack/blob/45e4d4fc/tools/appliance/definitions/systemvmtemplate/base.sh ---------------------------------------------------------------------- diff --git a/tools/appliance/definitions/systemvmtemplate/base.sh b/tools/appliance/definitions/systemvmtemplate/base.sh index 4d6092a..5aaa0ed 100644 --- a/tools/appliance/definitions/systemvmtemplate/base.sh +++ b/tools/appliance/definitions/systemvmtemplate/base.sh @@ -7,7 +7,7 @@ apt-get -y install curl unzip apt-get clean # Set up sudo, TODO: Check security concerns -echo 'cloud ALL=NOPASSWD:ALL' > /etc/sudoers.d/cloud +echo 'cloud ALL=NOPASSWD:/bin/chmod, /bin/cp, /bin/mkdir, /bin/mount, /bin/umount' > /etc/sudoers.d/cloud # Tweak sshd to prevent DNS resolution (speed up logins) echo 'UseDNS no' >> /etc/ssh/sshd_config http://git-wip-us.apache.org/repos/asf/cloudstack/blob/45e4d4fc/tools/appliance/definitions/systemvmtemplate/postinstall.sh ---------------------------------------------------------------------- diff --git a/tools/appliance/definitions/systemvmtemplate/postinstall.sh b/tools/appliance/definitions/systemvmtemplate/postinstall.sh index caee7b3..1309d47 100644 --- a/tools/appliance/definitions/systemvmtemplate/postinstall.sh +++ b/tools/appliance/definitions/systemvmtemplate/postinstall.sh @@ -104,7 +104,7 @@ setup_accounts() { echo "root:$ROOTPW" | chpasswd echo "cloud:`openssl rand -base64 32`" | chpasswd sed -i -e '/Defaults\s\+env_reset/a Defaults\texempt_group=admin' /etc/sudoers - sed -i -e 's/%admin ALL=(ALL) ALL/%admin ALL=NOPASSWD:ALL/g' /etc/sudoers + sed -i -e 's/%admin ALL=(ALL) ALL/%admin ALL=NOPASSWD:/bin/chmod, /bin/cp, /bin/mkdir, /bin/mount, /bin/umount/g' /etc/sudoers # Disable password based authentication via ssh, this will take effect on next reboot sed -i -e 's/^.*PasswordAuthentication .*$/PasswordAuthentication no/g' /etc/ssh/sshd_config # Secure ~/.ssh http://git-wip-us.apache.org/repos/asf/cloudstack/blob/45e4d4fc/tools/devcloud/src/deps/boxes/basebox-build/postinstall.sh ---------------------------------------------------------------------- diff --git a/tools/devcloud/src/deps/boxes/basebox-build/postinstall.sh b/tools/devcloud/src/deps/boxes/basebox-build/postinstall.sh index 217d230..f2b1560 100644 --- a/tools/devcloud/src/deps/boxes/basebox-build/postinstall.sh +++ b/tools/devcloud/src/deps/boxes/basebox-build/postinstall.sh @@ -28,7 +28,7 @@ groupadd -r admin usermod -a -G admin devcloud echo "root:password" | chpasswd sed -i -e '/Defaults\s\+env_reset/a Defaults\texempt_group=admin' /etc/sudoers -sed -i -e 's/%admin ALL=(ALL) ALL/%admin ALL=NOPASSWD:ALL/g' /etc/sudoers +sed -i -e 's/%admin ALL=(ALL) ALL/%admin ALL=NOPASSWD:/bin/chmod, /bin/cp, /bin/mkdir, /bin/mount, /bin/umount/g' /etc/sudoers mkdir /home/devcloud/.ssh chmod 700 /home/devcloud/.ssh