1
0
mirror of https://github.com/OpenNebula/one.git synced 2024-12-22 13:33:52 +03:00

M #-: Restrict sudo ip usage (#4689)

Co-authored-by: Jan Orel <jorel@opennebula.systems>
This commit is contained in:
Vlastimil Holer 2020-05-11 19:03:23 +02:00 committed by GitHub
parent d282f2da86
commit 4c77119fce
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 22 additions and 14 deletions

View File

@ -62,7 +62,7 @@ leader)
;;
follower)
if sudo -n ip address show dev $INTERFACE | grep -qi " ${IP}/"; then
if ip address show dev $INTERFACE | grep -qi " ${IP}/"; then
sudo -n ip address del $IFADDR dev $INTERFACE
fi

View File

@ -3,10 +3,10 @@ Defaults:oneadmin secure_path = /sbin:/bin:/usr/sbin:/usr/bin
Cmnd_Alias ONE_CEPH = /usr/bin/rbd
Cmnd_Alias ONE_FIRECRACKER = /usr/bin/jailer, /usr/bin/mount, /usr/sbin/one-clean-firecracker-domain
Cmnd_Alias ONE_HA = /usr/bin/systemctl start opennebula-flow, /usr/bin/systemctl stop opennebula-flow, /usr/bin/systemctl start opennebula-gate, /usr/bin/systemctl stop opennebula-gate, /usr/bin/systemctl start opennebula-hem, /usr/bin/systemctl stop opennebula-hem, /usr/sbin/service opennebula-flow start, /usr/sbin/service opennebula-flow stop, /usr/sbin/service opennebula-gate start, /usr/sbin/service opennebula-gate stop, /usr/sbin/service opennebula-hem start, /usr/sbin/service opennebula-hem stop, /usr/sbin/arping, /usr/sbin/ip
Cmnd_Alias ONE_HA = /usr/bin/systemctl start opennebula-flow, /usr/bin/systemctl stop opennebula-flow, /usr/bin/systemctl start opennebula-gate, /usr/bin/systemctl stop opennebula-gate, /usr/bin/systemctl start opennebula-hem, /usr/bin/systemctl stop opennebula-hem, /usr/sbin/service opennebula-flow start, /usr/sbin/service opennebula-flow stop, /usr/sbin/service opennebula-gate start, /usr/sbin/service opennebula-gate stop, /usr/sbin/service opennebula-hem start, /usr/sbin/service opennebula-hem stop, /usr/sbin/arping, /usr/sbin/ip address *
Cmnd_Alias ONE_LVM = /usr/sbin/lvcreate, /usr/sbin/lvremove, /usr/sbin/lvs, /usr/sbin/vgdisplay, /usr/sbin/lvchange, /usr/sbin/lvscan, /usr/sbin/lvextend
Cmnd_Alias ONE_MARKET = /usr/lib/one/sh/create_container_image.sh
Cmnd_Alias ONE_NET = /usr/sbin/ebtables, /usr/sbin/iptables, /usr/sbin/ip6tables, /usr/sbin/ip, /usr/sbin/ipset
Cmnd_Alias ONE_NET = /usr/sbin/ebtables, /usr/sbin/iptables, /usr/sbin/ip6tables, /usr/sbin/ipset, /usr/sbin/ip link *, /usr/sbin/ip tuntap *
Cmnd_Alias ONE_OVS = /usr/bin/ovs-ofctl, /usr/bin/ovs-vsctl
## Command aliases are enabled individually in dedicated

View File

@ -3,11 +3,11 @@ Defaults:oneadmin secure_path = /sbin:/bin:/usr/sbin:/usr/bin
Cmnd_Alias ONE_CEPH = /usr/bin/rbd
Cmnd_Alias ONE_FIRECRACKER = /usr/bin/jailer, /bin/mount, /usr/sbin/one-clean-firecracker-domain
Cmnd_Alias ONE_HA = /bin/systemctl start opennebula-flow, /bin/systemctl stop opennebula-flow, /bin/systemctl start opennebula-gate, /bin/systemctl stop opennebula-gate, /bin/systemctl start opennebula-hem, /bin/systemctl stop opennebula-hem, /usr/sbin/service opennebula-flow start, /usr/sbin/service opennebula-flow stop, /usr/sbin/service opennebula-gate start, /usr/sbin/service opennebula-gate stop, /usr/sbin/service opennebula-hem start, /usr/sbin/service opennebula-hem stop, /usr/bin/arping, /sbin/ip
Cmnd_Alias ONE_HA = /bin/systemctl start opennebula-flow, /bin/systemctl stop opennebula-flow, /bin/systemctl start opennebula-gate, /bin/systemctl stop opennebula-gate, /bin/systemctl start opennebula-hem, /bin/systemctl stop opennebula-hem, /usr/sbin/service opennebula-flow start, /usr/sbin/service opennebula-flow stop, /usr/sbin/service opennebula-gate start, /usr/sbin/service opennebula-gate stop, /usr/sbin/service opennebula-hem start, /usr/sbin/service opennebula-hem stop, /usr/bin/arping, /sbin/ip address *
Cmnd_Alias ONE_LVM = /sbin/lvcreate, /sbin/lvremove, /sbin/lvs, /sbin/vgdisplay, /sbin/lvchange, /sbin/lvscan, /sbin/lvextend
Cmnd_Alias ONE_LXD = /snap/bin/lxc, /usr/bin/catfstab, /bin/mount, /bin/umount, /bin/mkdir, /bin/lsblk, /sbin/losetup, /sbin/kpartx, /usr/bin/qemu-nbd, /sbin/blkid, /sbin/e2fsck, /sbin/resize2fs, /usr/sbin/xfs_growfs, /usr/bin/rbd-nbd, /usr/sbin/xfs_admin, /sbin/tune2fs
Cmnd_Alias ONE_MARKET = /usr/lib/one/sh/create_container_image.sh
Cmnd_Alias ONE_NET = /sbin/ebtables, /sbin/iptables, /sbin/ip6tables, /sbin/ip, /sbin/ipset
Cmnd_Alias ONE_NET = /sbin/ebtables, /sbin/iptables, /sbin/ip6tables, /sbin/ipset, /sbin/ip link *, /sbin/ip tuntap *
Cmnd_Alias ONE_OVS = /usr/bin/ovs-ofctl, /usr/bin/ovs-vsctl
## Command aliases are enabled individually in dedicated

View File

@ -24,7 +24,14 @@ class Sudoers
def initialize(lib_location)
# Commands required to be used as root, without password, by oneadmin
@cmds = {
:NET => %w[ebtables iptables ip6tables ip ipset],
:NET => [
'ebtables',
'iptables',
'ip6tables',
'ipset',
'ip link *',
'ip tuntap *'
],
:LVM => %w[
lvcreate lvremove lvs vgdisplay lvchange lvscan lvextend
],
@ -49,7 +56,7 @@ class Sudoers
'service opennebula-hem start',
'service opennebula-hem stop',
'arping',
'ip'
'ip address *'
],
:MARKET => %W[#{lib_location}/sh/create_container_image.sh],
:FIRECRACKER => %w[/usr/bin/jailer

View File

@ -71,7 +71,7 @@ class VLANTagDriver < VNMMAD::VLANDriver
end
def list_interface_vlan(name)
text = %x(#{command(:ip)} -d link show #{name})
text = %x(#{command(:ip_unpriv)} -d link show #{name})
return nil if $?.exitstatus != 0
text.each_line do |line|

View File

@ -66,7 +66,7 @@ template.elements.each(XPATH_NICS) do |nic_element|
if_name = "#{deploy_id}-#{nic_id}"
# check if interface is already defined
cmd = "#{command(:ip)} link show #{if_name}"
cmd = "#{command(:ip_unpriv)} link show #{if_name}"
_, _, rc = Open3.capture3(cmd)
next unless rc.success?

View File

@ -62,7 +62,7 @@ template.elements.each(XPATH_NICS) do |nic_element|
if_name = "#{deploy_id}-#{nic_id}"
# check if interface is already defined
cmd = "#{command(:ip)} link show #{if_name}"
cmd = "#{command(:ip_unpriv)} link show #{if_name}"
_, _, rc = Open3.capture3(cmd)
next if rc.success?

View File

@ -26,6 +26,7 @@ module VNMNetwork
:iptables => "sudo -n iptables",
:ip6tables=> "sudo -n ip6tables",
:ip => "sudo -n ip",
:ip_unpriv=> "ip",
:virsh => "virsh -c qemu:///system",
:ovs_vsctl=> "sudo -n ovs-vsctl",
:ovs_ofctl=> "sudo -n ovs-ofctl",

View File

@ -207,7 +207,7 @@ module VNMMAD
bridges = {}
ip_show_bridge =
`#{VNMNetwork::COMMANDS[:ip]} link show type bridge`
`#{VNMNetwork::COMMANDS[:ip_unpriv]} link show type bridge`
ip_show_bridge.split("\n").each do |line|
next if line !~ /^[0-9]*:/
@ -216,7 +216,7 @@ module VNMMAD
bridges[br_name] = []
ip_show_master =
`#{VNMNetwork::COMMANDS[:ip]} link show master #{br_name}`
`#{VNMNetwork::COMMANDS[:ip_unpriv]} link show master #{br_name}`
ip_show_master.split("\n").each do |l|
next if l !~ /^[0-9]*:/

View File

@ -79,7 +79,7 @@ module VXLAN
end
def list_interface_vlan(name)
text = %x(#{command(:ip)} -d link show #{name})
text = %x(#{command(:ip_unpriv)} -d link show #{name})
return nil if $?.exitstatus != 0
text.each_line do |line|
@ -92,7 +92,7 @@ module VXLAN
end
def get_interface_first_ip(name)
text = %x(#{command(:ip)} addr show dev #{name})
text = %x(#{command(:ip_unpriv)} addr show dev #{name})
return nil if $?.exitstatus != 0
text.each_line do |line|