cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marcus <shadow...@gmail.com>
Subject Re: sudo chmod - bad practice
Date Thu, 12 Mar 2015 05:59:50 GMT
If I'm not mistaken, the VmwareManagerImpl.java and
HypervManagerImpl.java code would run on mgmt server and looks like it
is duing sudo chmod. In the 'new Script(true ...' the true means to
run sudo. Both of those look like they give cloud (and everyone,
actually) permission to access a mountpoint in preparation for working
on the secondary storage. The injectkeys.sh also is called via the
configuration subsystem in the mgmt server to add the cloud keys into
the systemvm.iso.

Many of the others look like they're required for a development
environment (where most devs also run a mgmt server), but not
necessarily required for operation of the mgmt server.


On Wed, Mar 11, 2015 at 4:10 PM, ilya musayev
<ilya.mailing.lists@gmail.com> wrote:
> I dont see where MS requires the use of chmod directly based on the quick
> look against ASF grep search, if someone finds it - please let me know.
>
> https://git-wip-us.apache.org/repos/asf?p=cloudstack.git&a=search&h=a10a9d522c56f707a9674f1486f58697e8c5206a&st=grep&s=chmod
>
>
>
>
> On 3/11/15 4:06 PM, ilya musayev wrote:
>>
>> Is there any way we can avoid having chmod in /etc/sudoers file?
>>
>> This line in sudoers file makes me very uncomfortable
>>
>>
>> https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;a=blob;f=python/lib/cloudutils/serviceConfig.py;hb=a10a9d522c56f707a9674f1486f58697e8c5206a
>>
>> 723
>> <https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;a=blob;f=python/lib/cloudutils/serviceConfig.py;hb=a10a9d522c56f707a9674f1486f58697e8c5206a#l723>
>> 724
>> <https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;a=blob;f=python/lib/cloudutils/serviceConfig.py;hb=a10a9d522c56f707a9674f1486f58697e8c5206a#l724>
>> class sudoersConfig(serviceCfgBase):
>> 725
>> <https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;a=blob;f=python/lib/cloudutils/serviceConfig.py;hb=a10a9d522c56f707a9674f1486f58697e8c5206a#l725>
>> def __init__(self, syscfg):
>> 726
>> <https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;a=blob;f=python/lib/cloudutils/serviceConfig.py;hb=a10a9d522c56f707a9674f1486f58697e8c5206a#l726>
>> super(sudoersConfig, self).__init__(syscfg)
>> 727
>> <https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;a=blob;f=python/lib/cloudutils/serviceConfig.py;hb=a10a9d522c56f707a9674f1486f58697e8c5206a#l727>
>> self.serviceName = "sudoers"
>> 728
>> <https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;a=blob;f=python/lib/cloudutils/serviceConfig.py;hb=a10a9d522c56f707a9674f1486f58697e8c5206a#l728>
>> def config(self):
>> 729
>> <https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;a=blob;f=python/lib/cloudutils/serviceConfig.py;hb=a10a9d522c56f707a9674f1486f58697e8c5206a#l729>
>> try:
>> 730
>> <https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;a=blob;f=python/lib/cloudutils/serviceConfig.py;hb=a10a9d522c56f707a9674f1486f58697e8c5206a#l730>
>> cfo = configFileOps("/etc/sudoers", self)
>> 731
>> <https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;a=blob;f=python/lib/cloudutils/serviceConfig.py;hb=a10a9d522c56f707a9674f1486f58697e8c5206a#l731>
>> cfo.addEntry("cloud ALL ", "NOPASSWD : /bin/chmod, /bin/cp, /bin/mkdir,
>> /bin/mount, /bin/umount")
>> 732
>> <https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;a=blob;f=python/lib/cloudutils/serviceConfig.py;hb=a10a9d522c56f707a9674f1486f58697e8c5206a#l732>
>> cfo.rmEntry("Defaults", "requiretty", " ")
>> 733
>> <https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;a=blob;f=python/lib/cloudutils/serviceConfig.py;hb=a10a9d522c56f707a9674f1486f58697e8c5206a#l733>
>> cfo.save()
>> 734
>> <https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;a=blob;f=python/lib/cloudutils/serviceConfig.py;hb=a10a9d522c56f707a9674f1486f58697e8c5206a#l734>
>> return True
>> 735
>> <https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;a=blob;f=python/lib/cloudutils/serviceConfig.py;hb=a10a9d522c56f707a9674f1486f58697e8c5206a#l735>
>> except:
>> 736
>> <https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;a=blob;f=python/lib/cloudutils/serviceConfig.py;hb=a10a9d522c56f707a9674f1486f58697e8c5206a#l736>
>> raise
>> 737
>> <https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;a=blob;f=python/lib/cloudutils/serviceConfig.py;hb=a10a9d522c56f707a9674f1486f58697e8c5206a#l737>
>> 738
>> <https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;a=blob;f=python/lib/cloudutils/serviceConfig.py;hb=a10a9d522c56f707a9674f1486f58697e8c5206a#l738>
>> def restore(self):
>> 739
>> <https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;a=blob;f=python/lib/cloudutils/serviceConfig.py;hb=a10a9d522c56f707a9674f1486f58697e8c5206a#l739>
>> return True
>> 740
>> <https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;a=blob;f=python/lib/cloudutils/serviceConfig.py;hb=a10a9d522c56f707a9674f1486f58697e8c5206a#l740>
>>
>>
>> Can this be avoided?
>>
>

Mime
View raw message