Feature #3021
allow only oneadmin to run onehost sync
Status: | Closed | Start date: | 07/03/2014 | |
---|---|---|---|---|
Priority: | High | Due date: | ||
Assignee: | Jaime Melis | % Done: | 0% | |
Category: | CLI | |||
Target version: | Release 4.14 | |||
Resolution: | fixed | Pull request: |
Description
If anoither user runs it, like root for example, the permissions will cause problems
Associated revisions
Feature #3021: disallow root to run onehost sync
History
#1 Updated by Jaime Melis about 7 years ago
- Tracker changed from Feature to 8
- Affected Versions OpenNebula 4.6 added
#2 Updated by Jaime Melis about 7 years ago
- Tracker changed from 8 to Backlog
#3 Updated by Jan Horacek almost 7 years ago
Jaime Melis wrote:
If anoither user runs it, like root for example, the permissions will cause problems
hit that again... the real problem is, that it transfers drivers to the worker node under in the current user session.
that means, that running it under root will create root-owned files on worker node which causes no other update from oneadmin is possible.
maybe this should be a job run by oned and onehost sync just request this action.
#4 Updated by Ruben S. Montero almost 7 years ago
- Priority changed from Normal to High
I am moving this to high priority to schedule it for the next release...
#5 Updated by Arnold Bechtoldt almost 7 years ago
+1
#6 Updated by Ruben S. Montero over 6 years ago
- Target version set to Release 4.14
#7 Updated by Ruben S. Montero over 6 years ago
- Tracker changed from Backlog to Feature
#8 Updated by Ruben S. Montero over 6 years ago
- Status changed from Pending to New
#9 Updated by Ruben S. Montero about 6 years ago
- Assignee set to Jaime Melis
#10 Updated by Jaime Melis about 6 years ago
The only possible problem is the one mentioned by Jan, when root issues the command.
OpenNebula tries to find the .one_auth in $HOME/.one/one_auth and if it doesn't exist, in /var/lib/one/.one_auth. And since root is the only user that can read that file, the command succeeds.
To fix this we will hardcode that no CLI commands can be run from the root account.
#11 Updated by Jaime Melis about 6 years ago
While fixing this, we may want to prevent users other than oneadmin (OpenNebula, not UNIX) running the interactive onevm recover --interactive, by using the same system that's present in the onehost sync.
#12 Updated by Jaime Melis about 6 years ago
- Status changed from New to Closed
- Resolution set to fixed