You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by jl...@apache.org on 2013/10/23 23:13:45 UTC
[1/2] git commit: updated refs/heads/master to 13362ae
Updated Branches:
refs/heads/master 9f38614eb -> 13362aee6
Summary: Updated sudoers approved commands for cloud user
Detail: Previously the cloud user has full password-less sudo access.
This commit changes that to only allow access to a specific list of
commands. Been tested in production on ACS 4.0 and 4.2 mangement servers.
BUG-ID: CLOUDSTACK-967
Bugfix-for:
Reviewed-by:
Reported-by:
Signed-off-by: John Kinsella <jl...@stratosec.co> 1382560936 -0700
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/45e4d4fc
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/45e4d4fc
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/45e4d4fc
Branch: refs/heads/master
Commit: 45e4d4fc3bb52f73eb6e687a144cd48587fad2d4
Parents: 5133812
Author: John Kinsella <jl...@stratosec.co>
Authored: Wed Oct 23 13:42:16 2013 -0700
Committer: John Kinsella <jl...@stratosec.co>
Committed: Wed Oct 23 13:42:16 2013 -0700
----------------------------------------------------------------------
python/lib/cloudutils/serviceConfig.py | 2 +-
server/conf/cloudstack-sudoers.in | 2 +-
tools/appliance/definitions/devcloud/base.sh | 2 +-
tools/appliance/definitions/systemvm64template/base.sh | 2 +-
tools/appliance/definitions/systemvm64template/postinstall.sh | 2 +-
tools/appliance/definitions/systemvmtemplate/base.sh | 2 +-
tools/appliance/definitions/systemvmtemplate/postinstall.sh | 2 +-
tools/devcloud/src/deps/boxes/basebox-build/postinstall.sh | 2 +-
8 files changed, 8 insertions(+), 8 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/45e4d4fc/python/lib/cloudutils/serviceConfig.py
----------------------------------------------------------------------
diff --git a/python/lib/cloudutils/serviceConfig.py b/python/lib/cloudutils/serviceConfig.py
index 5c552c0..4ed9a57 100755
--- a/python/lib/cloudutils/serviceConfig.py
+++ b/python/lib/cloudutils/serviceConfig.py
@@ -727,7 +727,7 @@ class sudoersConfig(serviceCfgBase):
def config(self):
try:
cfo = configFileOps("/etc/sudoers", self)
- cfo.addEntry("cloud ALL ", "NOPASSWD : ALL")
+ cfo.addEntry("cloud ALL ", "NOPASSWD : /bin/chmod, /bin/cp, /bin/mkdir, /bin/mount, /bin/umount")
cfo.rmEntry("Defaults", "requiretty", " ")
cfo.save()
return True
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/45e4d4fc/server/conf/cloudstack-sudoers.in
----------------------------------------------------------------------
diff --git a/server/conf/cloudstack-sudoers.in b/server/conf/cloudstack-sudoers.in
index dcfb17b..0690164 100644
--- a/server/conf/cloudstack-sudoers.in
+++ b/server/conf/cloudstack-sudoers.in
@@ -18,5 +18,5 @@
# The CloudStack management server needs sudo permissions
# without a password.
-@MSUSER@ ALL =NOPASSWD : ALL
+@MSUSER@ ALL =NOPASSWD : /bin/chmod, /bin/cp, /bin/mkdir, /bin/mount, /bin/umount
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/45e4d4fc/tools/appliance/definitions/devcloud/base.sh
----------------------------------------------------------------------
diff --git a/tools/appliance/definitions/devcloud/base.sh b/tools/appliance/definitions/devcloud/base.sh
index 122b389..7fec0fc 100644
--- a/tools/appliance/definitions/devcloud/base.sh
+++ b/tools/appliance/definitions/devcloud/base.sh
@@ -6,7 +6,7 @@ apt-get -y update
apt-get -y install curl unzip
apt-get clean
-echo 'cloud ALL=NOPASSWD:ALL' > /etc/sudoers.d/cloud
+echo 'cloud ALL=NOPASSWD:/bin/chmod, /bin/cp, /bin/mkdir, /bin/mount, /bin/umount' > /etc/sudoers.d/cloud
# Tweak sshd to prevent DNS resolution (speed up logins)
echo 'UseDNS no' >> /etc/ssh/sshd_config
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/45e4d4fc/tools/appliance/definitions/systemvm64template/base.sh
----------------------------------------------------------------------
diff --git a/tools/appliance/definitions/systemvm64template/base.sh b/tools/appliance/definitions/systemvm64template/base.sh
index d6faea0..46c5db6 100644
--- a/tools/appliance/definitions/systemvm64template/base.sh
+++ b/tools/appliance/definitions/systemvm64template/base.sh
@@ -5,7 +5,7 @@ apt-get -y update
apt-get -y install curl unzip
# Set up sudo
-echo 'vagrant ALL=NOPASSWD:ALL' > /etc/sudoers.d/vagrant
+echo 'vagrant ALL=NOPASSWD:/bin/chmod, /bin/cp, /bin/mkdir, /bin/mount, /bin/umount' > /etc/sudoers.d/vagrant
# Tweak sshd to prevent DNS resolution (speed up logins)
echo 'UseDNS no' >> /etc/ssh/sshd_config
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/45e4d4fc/tools/appliance/definitions/systemvm64template/postinstall.sh
----------------------------------------------------------------------
diff --git a/tools/appliance/definitions/systemvm64template/postinstall.sh b/tools/appliance/definitions/systemvm64template/postinstall.sh
index 9297731..d33b943 100644
--- a/tools/appliance/definitions/systemvm64template/postinstall.sh
+++ b/tools/appliance/definitions/systemvm64template/postinstall.sh
@@ -105,7 +105,7 @@ setup_accounts() {
echo "root:$ROOTPW" | chpasswd
echo "cloud:`openssl rand -base64 32`" | chpasswd
sed -i -e '/Defaults\s\+env_reset/a Defaults\texempt_group=admin' /etc/sudoers
- sed -i -e 's/%admin ALL=(ALL) ALL/%admin ALL=NOPASSWD:ALL/g' /etc/sudoers
+ sed -i -e 's/%admin ALL=(ALL) ALL/%admin ALL=NOPASSWD:/bin/chmod, /bin/cp, /bin/mkdir, /bin/mount, /bin/umount/g' /etc/sudoers
# Disable password based authentication via ssh, this will take effect on next reboot
sed -i -e 's/^.*PasswordAuthentication .*$/PasswordAuthentication no/g' /etc/ssh/sshd_config
# Secure ~/.ssh
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/45e4d4fc/tools/appliance/definitions/systemvmtemplate/base.sh
----------------------------------------------------------------------
diff --git a/tools/appliance/definitions/systemvmtemplate/base.sh b/tools/appliance/definitions/systemvmtemplate/base.sh
index 4d6092a..5aaa0ed 100644
--- a/tools/appliance/definitions/systemvmtemplate/base.sh
+++ b/tools/appliance/definitions/systemvmtemplate/base.sh
@@ -7,7 +7,7 @@ apt-get -y install curl unzip
apt-get clean
# Set up sudo, TODO: Check security concerns
-echo 'cloud ALL=NOPASSWD:ALL' > /etc/sudoers.d/cloud
+echo 'cloud ALL=NOPASSWD:/bin/chmod, /bin/cp, /bin/mkdir, /bin/mount, /bin/umount' > /etc/sudoers.d/cloud
# Tweak sshd to prevent DNS resolution (speed up logins)
echo 'UseDNS no' >> /etc/ssh/sshd_config
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/45e4d4fc/tools/appliance/definitions/systemvmtemplate/postinstall.sh
----------------------------------------------------------------------
diff --git a/tools/appliance/definitions/systemvmtemplate/postinstall.sh b/tools/appliance/definitions/systemvmtemplate/postinstall.sh
index caee7b3..1309d47 100644
--- a/tools/appliance/definitions/systemvmtemplate/postinstall.sh
+++ b/tools/appliance/definitions/systemvmtemplate/postinstall.sh
@@ -104,7 +104,7 @@ setup_accounts() {
echo "root:$ROOTPW" | chpasswd
echo "cloud:`openssl rand -base64 32`" | chpasswd
sed -i -e '/Defaults\s\+env_reset/a Defaults\texempt_group=admin' /etc/sudoers
- sed -i -e 's/%admin ALL=(ALL) ALL/%admin ALL=NOPASSWD:ALL/g' /etc/sudoers
+ sed -i -e 's/%admin ALL=(ALL) ALL/%admin ALL=NOPASSWD:/bin/chmod, /bin/cp, /bin/mkdir, /bin/mount, /bin/umount/g' /etc/sudoers
# Disable password based authentication via ssh, this will take effect on next reboot
sed -i -e 's/^.*PasswordAuthentication .*$/PasswordAuthentication no/g' /etc/ssh/sshd_config
# Secure ~/.ssh
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/45e4d4fc/tools/devcloud/src/deps/boxes/basebox-build/postinstall.sh
----------------------------------------------------------------------
diff --git a/tools/devcloud/src/deps/boxes/basebox-build/postinstall.sh b/tools/devcloud/src/deps/boxes/basebox-build/postinstall.sh
index 217d230..f2b1560 100644
--- a/tools/devcloud/src/deps/boxes/basebox-build/postinstall.sh
+++ b/tools/devcloud/src/deps/boxes/basebox-build/postinstall.sh
@@ -28,7 +28,7 @@ groupadd -r admin
usermod -a -G admin devcloud
echo "root:password" | chpasswd
sed -i -e '/Defaults\s\+env_reset/a Defaults\texempt_group=admin' /etc/sudoers
-sed -i -e 's/%admin ALL=(ALL) ALL/%admin ALL=NOPASSWD:ALL/g' /etc/sudoers
+sed -i -e 's/%admin ALL=(ALL) ALL/%admin ALL=NOPASSWD:/bin/chmod, /bin/cp, /bin/mkdir, /bin/mount, /bin/umount/g' /etc/sudoers
mkdir /home/devcloud/.ssh
chmod 700 /home/devcloud/.ssh
[2/2] git commit: updated refs/heads/master to 13362ae
Posted by jl...@apache.org.
Merge branch 'master' of https://git-wip-us.apache.org/repos/asf/cloudstack
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/13362aee
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/13362aee
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/13362aee
Branch: refs/heads/master
Commit: 13362aee6973ddb45e94b5135d7e47a93c2389cb
Parents: 45e4d4f 9f38614
Author: John Kinsella <jl...@stratosec.co>
Authored: Wed Oct 23 14:13:26 2013 -0700
Committer: John Kinsella <jl...@stratosec.co>
Committed: Wed Oct 23 14:13:26 2013 -0700
----------------------------------------------------------------------
ui/scripts/templates.js | 5 +++++
1 file changed, 5 insertions(+)
----------------------------------------------------------------------