Feature #3021

allow only oneadmin to run onehost sync

Added by Jaime Melis about 5 years ago. Updated over 4 years ago.

Status:ClosedStart date:07/03/2014
Priority:HighDue date:
Assignee:Jaime Melis% Done:

0%

Category:CLI
Target version:Release 4.14
Resolution:fixed Pull request:

Description

If anoither user runs it, like root for example, the permissions will cause problems

Associated revisions

Revision b27d12e4
Added by Jaime Melis over 4 years ago

Feature #3021: disallow root to run onehost sync

History

#1 Updated by Jaime Melis about 5 years ago

  • Tracker changed from Feature to 8
  • Affected Versions OpenNebula 4.6 added

#2 Updated by Jaime Melis about 5 years ago

  • Tracker changed from 8 to Backlog

#3 Updated by Jan Horacek about 5 years ago

Jaime Melis wrote:

If anoither user runs it, like root for example, the permissions will cause problems

hit that again... the real problem is, that it transfers drivers to the worker node under in the current user session.
that means, that running it under root will create root-owned files on worker node which causes no other update from oneadmin is possible.

maybe this should be a job run by oned and onehost sync just request this action.

#4 Updated by Ruben S. Montero about 5 years ago

  • Priority changed from Normal to High

I am moving this to high priority to schedule it for the next release...

#5 Updated by Arnold Bechtoldt about 5 years ago

+1

#6 Updated by Ruben S. Montero over 4 years ago

  • Target version set to Release 4.14

#7 Updated by Ruben S. Montero over 4 years ago

  • Tracker changed from Backlog to Feature

#8 Updated by Ruben S. Montero over 4 years ago

  • Status changed from Pending to New

#9 Updated by Ruben S. Montero over 4 years ago

  • Assignee set to Jaime Melis

#10 Updated by Jaime Melis over 4 years ago

The only possible problem is the one mentioned by Jan, when root issues the command.

OpenNebula tries to find the .one_auth in $HOME/.one/one_auth and if it doesn't exist, in /var/lib/one/.one_auth. And since root is the only user that can read that file, the command succeeds.

To fix this we will hardcode that no CLI commands can be run from the root account.

#11 Updated by Jaime Melis over 4 years ago

While fixing this, we may want to prevent users other than oneadmin (OpenNebula, not UNIX) running the interactive onevm recover --interactive, by using the same system that's present in the onehost sync.

#12 Updated by Jaime Melis over 4 years ago

  • Status changed from New to Closed
  • Resolution set to fixed

Also available in: Atom PDF