FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora/Linux Management Tools

 
 
LinkBack Thread Tools
 
Old 06-06-2008, 07:53 PM
Michael DeHaan
 
Default cobbler aclsetup feature

So one of the requests I've gotten a lot is how can I run cobbler as
non-root.


It's doable with acls, but you have to know which ones to set.
I've added the "cobbler aclsetup" command to simply this.

Usage:

cobbler aclsetup --adduser=mdehaan

Now mdehaan can run cobbler commands as himself.

Note that the acl permissions granted to mdehaan above are quite large,
so we had better hope we can trust him.


For the curious those ACL's are:

PROCESS_DIRS = {
webdir : "rwx",
"/var/log/cobbler" : "rwx",
"/var/lib/cobbler" : "rwx",
"/etc/cobbler" : "rwx",
tftpboot : "rwx",
"/var/lib/cobbler/triggers" : "rwx"
}

Should we want to remove them:

cobbler aclsetpu --removeuser=mdehaan

This also works for groups.

It's just "--addgroup" or "--removegroup".

If you'd like to play with this, it's on the devel branch in git now.

This seems to work for me, one of the next steps seems to be figuring
out how to best make this work for cobblerd itself.


--Michael


_______________________________________________
et-mgmt-tools mailing list
et-mgmt-tools@redhat.com
https://www.redhat.com/mailman/listinfo/et-mgmt-tools
 
Old 06-06-2008, 09:07 PM
Robin Bowes
 
Default cobbler aclsetup feature

Michael DeHaan wrote:
So one of the requests I've gotten a lot is how can I run cobbler as
non-root.


Er, won't sudo take care of this?

R.

_______________________________________________
et-mgmt-tools mailing list
et-mgmt-tools@redhat.com
https://www.redhat.com/mailman/listinfo/et-mgmt-tools
 
Old 06-06-2008, 09:15 PM
Peter Wright
 
Default cobbler aclsetup feature

Robin Bowes wrote:

Michael DeHaan wrote:

So one of the requests I've gotten a lot is how can I run cobbler as
non-root.



Er, won't sudo take care of this?



well cobbler will still run as root, won't it

a side effect of using sudo to run cobbler commands is that you get some
sort of accounting of commands run for "free" in syslog which i think is
kinda nice.

Although - using ACLs is may be a more elegant solution since it should
help lock down some sites where you want junior admins building systems,
but don't trust them with sudo yet.


just my two bits though...

-p





--
Peter Wright
Systems Engineer
Sony Pictures Imageworks
wright@imageworks.com
www.imageworks.com


_______________________________________________
et-mgmt-tools mailing list
et-mgmt-tools@redhat.com
https://www.redhat.com/mailman/listinfo/et-mgmt-tools
 
Old 06-06-2008, 09:53 PM
Michael DeHaan
 
Default cobbler aclsetup feature

Peter Wright wrote:

Robin Bowes wrote:

Michael DeHaan wrote:

So one of the requests I've gotten a lot is how can I run cobbler as
non-root.



Er, won't sudo take care of this?



well cobbler will still run as root, won't it

a side effect of using sudo to run cobbler commands is that you get
some sort of accounting of commands run for "free" in syslog which i
think is kinda nice.
Although - using ACLs is may be a more elegant solution since it
should help lock down some sites where you want junior admins building
systems, but don't trust them with sudo yet.


just my two bits though...

-p






Cheetah templates can essentially contain code, as can cobbler modules,
and triggers are pretty much straight up shell scripts.

This keeps them being run as you, rather than root.

There were some folks that were concerned about needing to run Cobbler
as root, and this is for them


I agree a properly configured sudoers that allows running of the cobbler
binary solves most of the needs, but it doesn't allow you access to edit
some of things you might want to edit by hand -- this does -- so IMHO
it's a bit cleaner. Some things to check in the future is coming up
with a nice way to make cobblerd not need root as well. Maybe that
makes sense, maybe it doesn't -- I need to figure it out


--Michael




_______________________________________________
et-mgmt-tools mailing list
et-mgmt-tools@redhat.com
https://www.redhat.com/mailman/listinfo/et-mgmt-tools
 

Thread Tools




All times are GMT. The time now is 10:03 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org