Bug #4870

Missing entry for mkswap in sudoers (uninitialized volatile disk of type "swap")

Added by Jan "Yenya" Kasprzak over 4 years ago. Updated over 4 years ago.

Status:ClosedStart date:10/13/2016
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Core & System
Target version:Release 5.2
Resolution:fixed Pull request:
Affected Versions:OpenNebula 5.0

Description

Originally discussed here: https://forum.opennebula.org/t/volatile-swap-disk-not-initialized-in-5-0-2/3126/

ONe fails to initialize volatile images of type "swap" on a CEPH system datastore, because the rbd-mapped block device in /dev/rbd/X is not accessible by mkswap. Adding a mkswap entry to /etc/sudoers.d/opennebula fixes the problem. Patch attached. The patch should be evaluated from the security point of view - adding mkswap to sudoers probably allows the oneadmin user to overwrite any file in the system. The relevant parts of the system log (/var/log/secure on CentOS 7) is here:

Oct 13 15:00:22 host4 sudo: oneadmin : TTY=unknown ; PWD=/var/lib/one ; USER=
root ; COMMAND=/bin/rbd --id libvirt map one/one-sys-620-1
Oct 13 15:00:22 host4 sudo: pam_unix(sudo:auth): conversation failed
Oct 13 15:00:22 host4 sudo: pam_unix(sudo:auth): auth could not identify pass
word for [oneadmin]
Oct 13 15:00:22 host4 sudo: oneadmin : command not allowed ; TTY=unknown ; PW
D=/var/lib/one ; USER=root ; COMMAND=/sbin/mkswap -L swap stratus4:/var/lib/one/
/datastores/0/620/disk.1
Oct 13 15:00:22 host4 sudo: oneadmin : TTY=unknown ; PWD=/var/lib/one ; USER=
root ; COMMAND=/bin/rbd --id libvirt unmap /dev/rbd/one/one-sys-620-1

one-sudoers.patch Magnifier (565 Bytes) Jan "Yenya" Kasprzak, 10/13/2016 03:15 PM

ceph-mkimage.patch Magnifier (412 Bytes) Jan "Yenya" Kasprzak, 10/13/2016 03:38 PM

Associated revisions

Revision 406695f8
Added by Jaime Melis over 4 years ago

B #4870: missing sudo perms for mkswap

Patch submitted by Jan "Yenya" Kasprzak

History

#1 Updated by Ruben S. Montero over 4 years ago

  • Target version set to Release 5.2

#2 Updated by Jan "Yenya" Kasprzak over 4 years ago

Oops, one more change is needed: mkswap is run with incorrect arguments. Additional patch to /var/lib/one/remotes/tm/ceph/mkimage is attached.

#3 Updated by Jaime Melis over 4 years ago

  • Status changed from Pending to Closed
  • Resolution set to fixed

patch applied

thanks!!!!

Also available in: Atom PDF