diff --git a/debian/rules b/debian/rules index 66a36239be3e..a9f95798c371 100755 --- a/debian/rules +++ b/debian/rules @@ -72,8 +72,8 @@ override_dh_auto_install: # nast hack for a couple of configuration files mv $(DESTDIR)/$(SYSCONFDIR)/$(PACKAGE)/server/cloudstack-limits.conf $(DESTDIR)/$(SYSCONFDIR)/security/limits.d/ - mv $(DESTDIR)/$(SYSCONFDIR)/$(PACKAGE)/server/cloudstack-sudoers $(DESTDIR)/$(SYSCONFDIR)/sudoers.d/cloudstack - chmod 0440 $(DESTDIR)/$(SYSCONFDIR)/sudoers.d/cloudstack + mv $(DESTDIR)/$(SYSCONFDIR)/$(PACKAGE)/server/cloudstack-sudoers $(DESTDIR)/$(SYSCONFDIR)/sudoers.d/$(PACKAGE) + chmod 0440 $(DESTDIR)/$(SYSCONFDIR)/sudoers.d/$(PACKAGE) ln -s tomcat6-nonssl.conf $(DESTDIR)/$(SYSCONFDIR)/$(PACKAGE)/management/tomcat6.conf ln -s server-nonssl.xml $(DESTDIR)/$(SYSCONFDIR)/$(PACKAGE)/management/server.xml diff --git a/packaging/centos63/cloud.spec b/packaging/centos63/cloud.spec index afa29b8d1188..9bb2b9caf169 100644 --- a/packaging/centos63/cloud.spec +++ b/packaging/centos63/cloud.spec @@ -225,6 +225,7 @@ mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/%{name}/management mkdir -p ${RPM_BUILD_ROOT}%{_initrddir} mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/profile.d +mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/sudoers.d # Common mkdir -p ${RPM_BUILD_ROOT}%{_datadir}/%{name}-common/scripts @@ -297,6 +298,7 @@ install -D client/target/pythonlibs/jasypt-1.9.2.jar ${RPM_BUILD_ROOT}%{_datadir install -D packaging/centos63/cloud-ipallocator.rc ${RPM_BUILD_ROOT}%{_initrddir}/%{name}-ipallocator install -D packaging/centos63/cloud-management.rc ${RPM_BUILD_ROOT}%{_initrddir}/%{name}-management install -D packaging/centos63/cloud-management.sysconfig ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/%{name}-management +install -D server/target/conf/cloudstack-sudoers ${RPM_BUILD_ROOT}%{_sysconfdir}/sudoers.d/%{name}-management install -D packaging/centos63/tomcat.sh ${RPM_BUILD_ROOT}%{_initrddir}/tomcat.sh chmod 770 ${RPM_BUILD_ROOT}%{_sysconfdir}/%{name}/management/Catalina @@ -536,6 +538,7 @@ fi %dir %attr(0770,root,cloud) %{_localstatedir}/cache/%{name}/management/temp %dir %attr(0770,root,cloud) %{_localstatedir}/log/%{name}/management %config(noreplace) %{_sysconfdir}/sysconfig/%{name}-management +%config(noreplace) %{_sysconfdir}/sudoers.d/%{name}-management %config(noreplace) %attr(0640,root,cloud) %{_sysconfdir}/%{name}/management/db.properties %config(noreplace) %{_sysconfdir}/%{name}/management/log4j-cloud.xml %config(noreplace) %{_sysconfdir}/%{name}/management/tomcat6-nonssl.conf diff --git a/packaging/centos7/cloud-management.sudoers b/packaging/centos7/cloud-management.sudoers deleted file mode 100644 index ad79cae27073..000000000000 --- a/packaging/centos7/cloud-management.sudoers +++ /dev/null @@ -1,22 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. - -Cmnd_Alias CLOUDSTACK = /bin/mkdir, /bin/mount, /bin/umount, /bin/cp, /bin/chmod, /usr/bin/keytool, /bin/keytool - -Defaults:cloud !requiretty - -cloud ALL=(root) NOPASSWD:CLOUDSTACK diff --git a/packaging/centos7/cloud.spec b/packaging/centos7/cloud.spec index 71034fcfef4e..60d116c8d898 100644 --- a/packaging/centos7/cloud.spec +++ b/packaging/centos7/cloud.spec @@ -199,6 +199,7 @@ mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/%{name}/management mkdir -p ${RPM_BUILD_ROOT}%{_initrddir} mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/profile.d +mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/sudoers.d # Common mkdir -p ${RPM_BUILD_ROOT}%{_datadir}/%{name}-common/scripts @@ -272,8 +273,8 @@ install -D client/target/pythonlibs/jasypt-1.9.2.jar ${RPM_BUILD_ROOT}%{_datadir install -D packaging/centos7/cloud-ipallocator.rc ${RPM_BUILD_ROOT}%{_initrddir}/%{name}-ipallocator install -D packaging/centos7/cloud-management.sysconfig ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/%{name}-management +install -D server/target/conf/cloudstack-sudoers ${RPM_BUILD_ROOT}%{_sysconfdir}/sudoers.d/%{name}-management install -D packaging/centos7/cloud-management.service ${RPM_BUILD_ROOT}%{_unitdir}/%{name}-management.service -install -D packaging/centos7/cloud-management.sudoers ${RPM_BUILD_ROOT}%{_sysconfdir}/sudoers.d/%{name}-management install -D packaging/centos7/cloud.limits ${RPM_BUILD_ROOT}%{_sysconfdir}/security/limits.d/cloud touch ${RPM_BUILD_ROOT}%{_localstatedir}/run/%{name}-management.pid diff --git a/python/lib/cloudutils/configFileOps.py b/python/lib/cloudutils/configFileOps.py index 363b78d6d361..e93182464d53 100644 --- a/python/lib/cloudutils/configFileOps.py +++ b/python/lib/cloudutils/configFileOps.py @@ -175,11 +175,3 @@ def backup(self): self.add_lines(oldLine, False) else: self.replace_lines(newLine, oldLine, False) - -if __name__ == '__main__': - cfo = configFileOps("./sudoers") - #cloud ALL = NOPASSWD : ALL - cfo.addEntry("cloud ALL ", "NOPASSWD : ALL") - cfo.rmEntry("Defaults", "requiretty", " ") - #cfo.addEntry("zone", "test", " ") - cfo.save() diff --git a/python/lib/cloudutils/serviceConfig.py b/python/lib/cloudutils/serviceConfig.py index 86f5a904f2da..de9ec5266eba 100755 --- a/python/lib/cloudutils/serviceConfig.py +++ b/python/lib/cloudutils/serviceConfig.py @@ -721,24 +721,6 @@ def config(self): def restore(self): return True - -class sudoersConfig(serviceCfgBase): - def __init__(self, syscfg): - super(sudoersConfig, self).__init__(syscfg) - self.serviceName = "sudoers" - def config(self): - try: - cfo = configFileOps("/etc/sudoers", self) - cfo.addEntry("cloud ALL ", "NOPASSWD : /bin/chmod, /bin/cp, /bin/mkdir, /bin/mount, /bin/umount, /usr/bin/keytool") - cfo.rmEntry("Defaults", "requiretty", " ") - cfo.save() - return True - except: - raise - - def restore(self): - return True - class firewallConfigServer(firewallConfigBase): def __init__(self, syscfg): super(firewallConfigServer, self).__init__(syscfg) diff --git a/python/lib/cloudutils/syscfg.py b/python/lib/cloudutils/syscfg.py index 290f56ccdd67..467fcf190e3c 100755 --- a/python/lib/cloudutils/syscfg.py +++ b/python/lib/cloudutils/syscfg.py @@ -206,12 +206,10 @@ class sysConfigServerRedhat(sysConfigServer): def __init__(self, glbEnv): super(sysConfigServerRedhat, self).__init__(glbEnv) self.svo = serviceOpsRedhat() - self.services = [sudoersConfig(self), - firewallConfigServer(self)] + self.services = [firewallConfigServer(self)] class sysConfigServerUbuntu(sysConfigServer): def __init__(self, glbEnv): super(sysConfigServerUbuntu, self).__init__(glbEnv) self.svo = serviceOpsUbuntu() - self.services = [sudoersConfig(self), - ubuntuFirewallConfigServer(self)] + self.services = [ubuntuFirewallConfigServer(self)] diff --git a/server/conf/cloudstack-sudoers.in b/server/conf/cloudstack-sudoers.in index 069016434c76..908d2f4733f4 100644 --- a/server/conf/cloudstack-sudoers.in +++ b/server/conf/cloudstack-sudoers.in @@ -18,5 +18,8 @@ # The CloudStack management server needs sudo permissions # without a password. -@MSUSER@ ALL =NOPASSWD : /bin/chmod, /bin/cp, /bin/mkdir, /bin/mount, /bin/umount +Cmnd_Alias CLOUDSTACK = /bin/mkdir, /bin/mount, /bin/umount, /bin/cp, /bin/chmod, /usr/bin/keytool, /bin/keytool +Defaults:@MSUSER@ !requiretty + +@MSUSER@ ALL=(root) NOPASSWD:CLOUDSTACK