cobbler aclsetup feature
So one of the requests I've gotten a lot is how can I run cobbler as
non-root. It's doable with acls, but you have to know which ones to set. I've added the "cobbler aclsetup" command to simply this. Usage: cobbler aclsetup --adduser=mdehaan Now mdehaan can run cobbler commands as himself. Note that the acl permissions granted to mdehaan above are quite large, so we had better hope we can trust him. For the curious those ACL's are: PROCESS_DIRS = { webdir : "rwx", "/var/log/cobbler" : "rwx", "/var/lib/cobbler" : "rwx", "/etc/cobbler" : "rwx", tftpboot : "rwx", "/var/lib/cobbler/triggers" : "rwx" } Should we want to remove them: cobbler aclsetpu --removeuser=mdehaan This also works for groups. It's just "--addgroup" or "--removegroup". If you'd like to play with this, it's on the devel branch in git now. This seems to work for me, one of the next steps seems to be figuring out how to best make this work for cobblerd itself. --Michael _______________________________________________ et-mgmt-tools mailing list et-mgmt-tools@redhat.com https://www.redhat.com/mailman/listinfo/et-mgmt-tools |
cobbler aclsetup feature
Michael DeHaan wrote:
So one of the requests I've gotten a lot is how can I run cobbler as non-root. Er, won't sudo take care of this? R. _______________________________________________ et-mgmt-tools mailing list et-mgmt-tools@redhat.com https://www.redhat.com/mailman/listinfo/et-mgmt-tools |
cobbler aclsetup feature
Robin Bowes wrote:
Michael DeHaan wrote: So one of the requests I've gotten a lot is how can I run cobbler as non-root. Er, won't sudo take care of this? well cobbler will still run as root, won't it ;) a side effect of using sudo to run cobbler commands is that you get some sort of accounting of commands run for "free" in syslog which i think is kinda nice. Although - using ACLs is may be a more elegant solution since it should help lock down some sites where you want junior admins building systems, but don't trust them with sudo yet. just my two bits though... -p -- Peter Wright Systems Engineer Sony Pictures Imageworks wright@imageworks.com www.imageworks.com _______________________________________________ et-mgmt-tools mailing list et-mgmt-tools@redhat.com https://www.redhat.com/mailman/listinfo/et-mgmt-tools |
cobbler aclsetup feature
Peter Wright wrote:
Robin Bowes wrote: Michael DeHaan wrote: So one of the requests I've gotten a lot is how can I run cobbler as non-root. Er, won't sudo take care of this? well cobbler will still run as root, won't it ;) a side effect of using sudo to run cobbler commands is that you get some sort of accounting of commands run for "free" in syslog which i think is kinda nice. Although - using ACLs is may be a more elegant solution since it should help lock down some sites where you want junior admins building systems, but don't trust them with sudo yet. just my two bits though... -p Cheetah templates can essentially contain code, as can cobbler modules, and triggers are pretty much straight up shell scripts. This keeps them being run as you, rather than root. There were some folks that were concerned about needing to run Cobbler as root, and this is for them :) I agree a properly configured sudoers that allows running of the cobbler binary solves most of the needs, but it doesn't allow you access to edit some of things you might want to edit by hand -- this does -- so IMHO it's a bit cleaner. Some things to check in the future is coming up with a nice way to make cobblerd not need root as well. Maybe that makes sense, maybe it doesn't -- I need to figure it out :) --Michael _______________________________________________ et-mgmt-tools mailing list et-mgmt-tools@redhat.com https://www.redhat.com/mailman/listinfo/et-mgmt-tools |
| All times are GMT. The time now is 09:52 PM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.