Bug #4870: Missing entry for mkswap in sudoers (uninitialized volatile disk of type "swap") - OpenNebula - OpenNebula Development pages

Bug #4870

Missing entry for mkswap in sudoers (uninitialized volatile disk of type "swap")

Added by Jan "Yenya" Kasprzak over 4 years ago. Updated over 4 years ago.

Status:

Closed

Start date:

10/13/2016

Priority:

Normal

Due date:

Assignee:

% Done:

Category:

Core & System

Target version:

Release 5.2

Resolution:

fixed

Pull request:

Affected Versions:

OpenNebula 5.0

Description

Originally discussed here: https://forum.opennebula.org/t/volatile-swap-disk-not-initialized-in-5-0-2/3126/

ONe fails to initialize volatile images of type "swap" on a CEPH system datastore, because the rbd-mapped block device in /dev/rbd/X is not accessible by mkswap. Adding a mkswap entry to /etc/sudoers.d/opennebula fixes the problem. Patch attached. The patch should be evaluated from the security point of view - adding mkswap to sudoers probably allows the oneadmin user to overwrite any file in the system. The relevant parts of the system log (/var/log/secure on CentOS 7) is here:

Oct 13 15:00:22 host4 sudo: oneadmin : TTY=unknown ; PWD=/var/lib/one ; USER=
root ; COMMAND=/bin/rbd --id libvirt map one/one-sys-620-1
Oct 13 15:00:22 host4 sudo: pam_unix(sudo:auth): conversation failed
Oct 13 15:00:22 host4 sudo: pam_unix(sudo:auth): auth could not identify pass
word for [oneadmin]
Oct 13 15:00:22 host4 sudo: oneadmin : command not allowed ; TTY=unknown ; PW
D=/var/lib/one ; USER=root ; COMMAND=/sbin/mkswap -L swap stratus4:/var/lib/one/
/datastores/0/620/disk.1
Oct 13 15:00:22 host4 sudo: oneadmin : TTY=unknown ; PWD=/var/lib/one ; USER=
root ; COMMAND=/bin/rbd --id libvirt unmap /dev/rbd/one/one-sys-620-1

one-sudoers.patch (565 Bytes) Jan "Yenya" Kasprzak, 10/13/2016 03:15 PM

ceph-mkimage.patch (412 Bytes) Jan "Yenya" Kasprzak, 10/13/2016 03:38 PM