Summary: Updated sudoers approved commands for cloud user

John Kinsella · John Kinsella · commit 45e4d4fc3bb5 · 2013-10-23T13:42:16.000-07:00
Detail: Previously the cloud user has full password-less sudo access.
This commit changes that to only allow access to a specific list of
commands. Been tested in production on ACS 4.0 and 4.2 mangement servers.

BUG-ID: CLOUDSTACK-967
Bugfix-for:
Reviewed-by:
Reported-by:
Signed-off-by: John Kinsella &lt;jlk@stratosec.co&gt; 1382560936 -0700
diff --git a/python/lib/cloudutils/serviceConfig.py b/python/lib/cloudutils/serviceConfig.py
@@ -727,7 +727,7 @@ def __init__(self, syscfg):
     def config(self):
         try:
             cfo = configFileOps("/etc/sudoers", self)
-            cfo.addEntry("cloud ALL ", "NOPASSWD : ALL")
+            cfo.addEntry("cloud ALL ", "NOPASSWD : /bin/chmod, /bin/cp, /bin/mkdir, /bin/mount, /bin/umount")
             cfo.rmEntry("Defaults", "requiretty", " ")
             cfo.save()
             return True
diff --git a/server/conf/cloudstack-sudoers.in b/server/conf/cloudstack-sudoers.in
@@ -18,5 +18,5 @@
 # The CloudStack management server needs sudo permissions
 # without a password.
 
-@MSUSER@ ALL =NOPASSWD : ALL
+@MSUSER@ ALL =NOPASSWD : /bin/chmod, /bin/cp, /bin/mkdir, /bin/mount, /bin/umount
 
diff --git a/tools/appliance/definitions/devcloud/base.sh b/tools/appliance/definitions/devcloud/base.sh
@@ -6,7 +6,7 @@ apt-get -y update
 apt-get -y install curl unzip
 apt-get clean
 
-echo 'cloud ALL=NOPASSWD:ALL' > /etc/sudoers.d/cloud
+echo 'cloud ALL=NOPASSWD:/bin/chmod, /bin/cp, /bin/mkdir, /bin/mount, /bin/umount' > /etc/sudoers.d/cloud
 
 # Tweak sshd to prevent DNS resolution (speed up logins)
 echo 'UseDNS no' >> /etc/ssh/sshd_config
diff --git a/tools/appliance/definitions/systemvm64template/base.sh b/tools/appliance/definitions/systemvm64template/base.sh
@@ -5,7 +5,7 @@ apt-get -y update
 apt-get -y install curl unzip
 
 # Set up sudo
-echo 'vagrant ALL=NOPASSWD:ALL' > /etc/sudoers.d/vagrant
+echo 'vagrant ALL=NOPASSWD:/bin/chmod, /bin/cp, /bin/mkdir, /bin/mount, /bin/umount' > /etc/sudoers.d/vagrant
 
 # Tweak sshd to prevent DNS resolution (speed up logins)
 echo 'UseDNS no' >> /etc/ssh/sshd_config
diff --git a/tools/appliance/definitions/systemvm64template/postinstall.sh b/tools/appliance/definitions/systemvm64template/postinstall.sh
@@ -105,7 +105,7 @@ setup_accounts() {
   echo "root:$ROOTPW" | chpasswd
   echo "cloud:`openssl rand -base64 32`" | chpasswd
   sed -i -e '/Defaults\s\+env_reset/a Defaults\texempt_group=admin' /etc/sudoers
-  sed -i -e 's/%admin ALL=(ALL) ALL/%admin ALL=NOPASSWD:ALL/g' /etc/sudoers
+  sed -i -e 's/%admin ALL=(ALL) ALL/%admin ALL=NOPASSWD:/bin/chmod, /bin/cp, /bin/mkdir, /bin/mount, /bin/umount/g' /etc/sudoers
   # Disable password based authentication via ssh, this will take effect on next reboot
   sed -i -e 's/^.*PasswordAuthentication .*$/PasswordAuthentication no/g' /etc/ssh/sshd_config
   # Secure ~/.ssh
diff --git a/tools/appliance/definitions/systemvmtemplate/base.sh b/tools/appliance/definitions/systemvmtemplate/base.sh
@@ -7,7 +7,7 @@ apt-get -y install curl unzip
 apt-get clean
 
 # Set up sudo, TODO: Check security concerns
-echo 'cloud ALL=NOPASSWD:ALL' > /etc/sudoers.d/cloud
+echo 'cloud ALL=NOPASSWD:/bin/chmod, /bin/cp, /bin/mkdir, /bin/mount, /bin/umount' > /etc/sudoers.d/cloud
 
 # Tweak sshd to prevent DNS resolution (speed up logins)
 echo 'UseDNS no' >> /etc/ssh/sshd_config
diff --git a/tools/appliance/definitions/systemvmtemplate/postinstall.sh b/tools/appliance/definitions/systemvmtemplate/postinstall.sh
@@ -104,7 +104,7 @@ setup_accounts() {
   echo "root:$ROOTPW" | chpasswd
   echo "cloud:`openssl rand -base64 32`" | chpasswd
   sed -i -e '/Defaults\s\+env_reset/a Defaults\texempt_group=admin' /etc/sudoers
-  sed -i -e 's/%admin ALL=(ALL) ALL/%admin ALL=NOPASSWD:ALL/g' /etc/sudoers
+  sed -i -e 's/%admin ALL=(ALL) ALL/%admin ALL=NOPASSWD:/bin/chmod, /bin/cp, /bin/mkdir, /bin/mount, /bin/umount/g' /etc/sudoers
   # Disable password based authentication via ssh, this will take effect on next reboot
   sed -i -e 's/^.*PasswordAuthentication .*$/PasswordAuthentication no/g' /etc/ssh/sshd_config
   # Secure ~/.ssh
diff --git a/tools/devcloud/src/deps/boxes/basebox-build/postinstall.sh b/tools/devcloud/src/deps/boxes/basebox-build/postinstall.sh
@@ -28,7 +28,7 @@ groupadd -r admin
 usermod -a -G admin devcloud
 echo "root:password" | chpasswd
 sed -i -e '/Defaults\s\+env_reset/a Defaults\texempt_group=admin' /etc/sudoers
-sed -i -e 's/%admin ALL=(ALL) ALL/%admin ALL=NOPASSWD:ALL/g' /etc/sudoers
+sed -i -e 's/%admin ALL=(ALL) ALL/%admin ALL=NOPASSWD:/bin/chmod, /bin/cp, /bin/mkdir, /bin/mount, /bin/umount/g' /etc/sudoers
 
 mkdir /home/devcloud/.ssh
 chmod 700 /home/devcloud/.ssh
