[xen-tools-dev] [PATCH 05/17] Do not copy host sudoers in guest.
Stéphane Jourdois
sjourdois at gmail.com
Sun Jul 25 14:12:37 CEST 2010
As noticed by Dmitry Nedospasov (Cf. [1]), sudoers file should not be
copied by default.
Move this hook to a role, and add a warning about this in role.
[1] http://xen-tools.org/pipermail/xen-tools-dev/2010-July/000146.html
---
hooks/centos-4/60-copy-host-files | 58 --------------------------------
hooks/centos-5/60-copy-host-files | 58 --------------------------------
hooks/dapper/60-copy-host-files | 22 ------------
hooks/debian/60-copy-host-files | 23 ------------
hooks/edgy/60-copy-host-files | 22 ------------
hooks/fedora-core-6/60-copy-host-files | 58 --------------------------------
hooks/gentoo/60-copy-host-files | 52 ----------------------------
hooks/intrepid/60-copy-host-files | 22 ------------
hooks/karmic/60-copy-host-files | 22 ------------
roles/sudoers | 46 +++++++++++++++++++++++++
10 files changed, 46 insertions(+), 337 deletions(-)
delete mode 100755 hooks/centos-4/60-copy-host-files
delete mode 100755 hooks/centos-5/60-copy-host-files
delete mode 100755 hooks/fedora-core-6/60-copy-host-files
delete mode 100755 hooks/gentoo/60-copy-host-files
create mode 100755 roles/sudoers
diff --git a/hooks/centos-4/60-copy-host-files b/hooks/centos-4/60-copy-host-files
deleted file mode 100755
index 080e90b..0000000
--- a/hooks/centos-4/60-copy-host-files
+++ /dev/null
@@ -1,58 +0,0 @@
-#!/bin/sh
-#
-# Copy files from a 'skel' directory, if present, into the
-# new images
-#
-
-
-prefix=$1
-
-
-#
-# Source our common functions
-#
-if [ -e /usr/lib/xen-tools/common.sh ]; then
- . /usr/lib/xen-tools/common.sh
-else
- . ./hooks/common.sh
-fi
-
-
-#
-# Log our start
-#
-logMessage Script $0 starting
-
-
-#
-# Copy "required" files from our host.
-#
-# NONE DONE
-
-#
-# If the host has sudo then copy the configuration file, and install
-# the package
-#
-if [ -e /etc/sudoers ]; then
-
- logMessage Installing SUDO too.
-
- #
- # Copy file and fixup permissions.
- #
- cp /etc/sudoers ${prefix}/etc
- chown root:root ${prefix}/etc/sudoers
- chmod 440 ${prefix}/etc/sudoers
-
- #
- # Install sudo
- #
- installCentOS4Package ${prefix} sudo
-
-fi
-
-
-#
-# Log our finish
-#
-logMessage Script $0 finished
diff --git a/hooks/centos-5/60-copy-host-files b/hooks/centos-5/60-copy-host-files
deleted file mode 100755
index 080e90b..0000000
--- a/hooks/centos-5/60-copy-host-files
+++ /dev/null
@@ -1,58 +0,0 @@
-#!/bin/sh
-#
-# Copy files from a 'skel' directory, if present, into the
-# new images
-#
-
-
-prefix=$1
-
-
-#
-# Source our common functions
-#
-if [ -e /usr/lib/xen-tools/common.sh ]; then
- . /usr/lib/xen-tools/common.sh
-else
- . ./hooks/common.sh
-fi
-
-
-#
-# Log our start
-#
-logMessage Script $0 starting
-
-
-#
-# Copy "required" files from our host.
-#
-# NONE DONE
-
-#
-# If the host has sudo then copy the configuration file, and install
-# the package
-#
-if [ -e /etc/sudoers ]; then
-
- logMessage Installing SUDO too.
-
- #
- # Copy file and fixup permissions.
- #
- cp /etc/sudoers ${prefix}/etc
- chown root:root ${prefix}/etc/sudoers
- chmod 440 ${prefix}/etc/sudoers
-
- #
- # Install sudo
- #
- installCentOS4Package ${prefix} sudo
-
-fi
-
-
-#
-# Log our finish
-#
-logMessage Script $0 finished
diff --git a/hooks/dapper/60-copy-host-files b/hooks/dapper/60-copy-host-files
index 06eeb1f..8da3b93 100755
--- a/hooks/dapper/60-copy-host-files
+++ b/hooks/dapper/60-copy-host-files
@@ -30,28 +30,6 @@ logMessage Script $0 starting
cp /etc/timezone ${prefix}/etc
cp /etc/localtime ${prefix}/etc
-#
-# If the host has sudo then copy the configuration file, and install
-# the package
-#
-if [ -e /etc/sudoers ]; then
-
- logMessage Installing SUDO too.
-
- #
- # Copy file and fixup permissions.
- #
- cp /etc/sudoers ${prefix}/etc
- chown root:root ${prefix}/etc/sudoers
- chmod 440 ${prefix}/etc/sudoers
-
- #
- # Install sudo
- #
- installDebianPackage ${prefix} sudo
-
-fi
-
#
# Log our finish
diff --git a/hooks/debian/60-copy-host-files b/hooks/debian/60-copy-host-files
index 641fd38..8da3b93 100755
--- a/hooks/debian/60-copy-host-files
+++ b/hooks/debian/60-copy-host-files
@@ -32,29 +32,6 @@ cp /etc/localtime ${prefix}/etc
#
-# If the host has sudo then copy the configuration file, and install
-# the package
-#
-if [ -e /etc/sudoers ]; then
-
- logMessage Installing SUDO too.
-
- #
- # Copy file and fixup permissions.
- #
- cp /etc/sudoers ${prefix}/etc
- chown root:root ${prefix}/etc/sudoers
- chmod 440 ${prefix}/etc/sudoers
-
- #
- # Install sudo
- #
- installDebianPackage ${prefix} sudo
-
-fi
-
-
-#
# Log our finish
#
logMessage Script $0 finished
diff --git a/hooks/edgy/60-copy-host-files b/hooks/edgy/60-copy-host-files
index 06eeb1f..8da3b93 100755
--- a/hooks/edgy/60-copy-host-files
+++ b/hooks/edgy/60-copy-host-files
@@ -30,28 +30,6 @@ logMessage Script $0 starting
cp /etc/timezone ${prefix}/etc
cp /etc/localtime ${prefix}/etc
-#
-# If the host has sudo then copy the configuration file, and install
-# the package
-#
-if [ -e /etc/sudoers ]; then
-
- logMessage Installing SUDO too.
-
- #
- # Copy file and fixup permissions.
- #
- cp /etc/sudoers ${prefix}/etc
- chown root:root ${prefix}/etc/sudoers
- chmod 440 ${prefix}/etc/sudoers
-
- #
- # Install sudo
- #
- installDebianPackage ${prefix} sudo
-
-fi
-
#
# Log our finish
diff --git a/hooks/fedora-core-6/60-copy-host-files b/hooks/fedora-core-6/60-copy-host-files
deleted file mode 100755
index 080e90b..0000000
--- a/hooks/fedora-core-6/60-copy-host-files
+++ /dev/null
@@ -1,58 +0,0 @@
-#!/bin/sh
-#
-# Copy files from a 'skel' directory, if present, into the
-# new images
-#
-
-
-prefix=$1
-
-
-#
-# Source our common functions
-#
-if [ -e /usr/lib/xen-tools/common.sh ]; then
- . /usr/lib/xen-tools/common.sh
-else
- . ./hooks/common.sh
-fi
-
-
-#
-# Log our start
-#
-logMessage Script $0 starting
-
-
-#
-# Copy "required" files from our host.
-#
-# NONE DONE
-
-#
-# If the host has sudo then copy the configuration file, and install
-# the package
-#
-if [ -e /etc/sudoers ]; then
-
- logMessage Installing SUDO too.
-
- #
- # Copy file and fixup permissions.
- #
- cp /etc/sudoers ${prefix}/etc
- chown root:root ${prefix}/etc/sudoers
- chmod 440 ${prefix}/etc/sudoers
-
- #
- # Install sudo
- #
- installCentOS4Package ${prefix} sudo
-
-fi
-
-
-#
-# Log our finish
-#
-logMessage Script $0 finished
diff --git a/hooks/gentoo/60-copy-host-files b/hooks/gentoo/60-copy-host-files
deleted file mode 100755
index 6202ad1..0000000
--- a/hooks/gentoo/60-copy-host-files
+++ /dev/null
@@ -1,52 +0,0 @@
-#!/bin/sh
-#
-# Copy files from a 'skel' directory, if present, into the
-# new images
-#
-
-
-prefix=$1
-
-
-#
-# Source our common functions
-#
-if [ -e /usr/lib/xen-tools/common.sh ]; then
- . /usr/lib/xen-tools/common.sh
-else
- . ./hooks/common.sh
-fi
-
-
-#
-# Log our start
-#
-logMessage Script $0 starting
-
-
-#
-# If the host has sudo then copy the configuration file, and install
-# the package
-#
-if [ -e /etc/sudoers ]; then
-
- logMessage Installing SUDO too.
-
- #
- # Copy file and fixup permissions.
- #
- chown root:root ${prefix}/etc/sudoers
- chmod 440 ${prefix}/etc/sudoers
-
- #
- # Install sudo
- #
- installDebianPackage ${prefix} sudo
-
-fi
-
-
-#
-# Log our finish
-#
-logMessage Script $0 finished
diff --git a/hooks/intrepid/60-copy-host-files b/hooks/intrepid/60-copy-host-files
index 06eeb1f..8da3b93 100755
--- a/hooks/intrepid/60-copy-host-files
+++ b/hooks/intrepid/60-copy-host-files
@@ -30,28 +30,6 @@ logMessage Script $0 starting
cp /etc/timezone ${prefix}/etc
cp /etc/localtime ${prefix}/etc
-#
-# If the host has sudo then copy the configuration file, and install
-# the package
-#
-if [ -e /etc/sudoers ]; then
-
- logMessage Installing SUDO too.
-
- #
- # Copy file and fixup permissions.
- #
- cp /etc/sudoers ${prefix}/etc
- chown root:root ${prefix}/etc/sudoers
- chmod 440 ${prefix}/etc/sudoers
-
- #
- # Install sudo
- #
- installDebianPackage ${prefix} sudo
-
-fi
-
#
# Log our finish
diff --git a/hooks/karmic/60-copy-host-files b/hooks/karmic/60-copy-host-files
index 06eeb1f..8da3b93 100755
--- a/hooks/karmic/60-copy-host-files
+++ b/hooks/karmic/60-copy-host-files
@@ -30,28 +30,6 @@ logMessage Script $0 starting
cp /etc/timezone ${prefix}/etc
cp /etc/localtime ${prefix}/etc
-#
-# If the host has sudo then copy the configuration file, and install
-# the package
-#
-if [ -e /etc/sudoers ]; then
-
- logMessage Installing SUDO too.
-
- #
- # Copy file and fixup permissions.
- #
- cp /etc/sudoers ${prefix}/etc
- chown root:root ${prefix}/etc/sudoers
- chmod 440 ${prefix}/etc/sudoers
-
- #
- # Install sudo
- #
- installDebianPackage ${prefix} sudo
-
-fi
-
#
# Log our finish
diff --git a/roles/sudoers b/roles/sudoers
new file mode 100755
index 0000000..b6b3df1
--- /dev/null
+++ b/roles/sudoers
@@ -0,0 +1,46 @@
+#!/bin/sh
+#
+# This role installs sudo with host sudoers file.
+#
+
+prefix=$1
+
+#
+# Source our common functions - this will let us install a Debian package.
+#
+if [ -e /usr/lib/xen-tools/common.sh ]; then
+ . /usr/lib/xen-tools/common.sh
+else
+ echo "Installation problem"
+fi
+
+
+#
+# Log our start
+#
+logMessage Script $0 starting
+
+
+#
+# Install sudo package
+#
+installDebianPackage ${prefix} sudo
+
+#
+# WARNING :
+#
+# Copying this file means that root users in guest will KNOW who is
+# root on host.
+#
+
+#
+# Copy dom0's file to domU.
+#
+cp /etc/sudoers ${prefix}/etc/
+chown root:root ${prefix}/etc/sudoers
+chmod 440 ${prefix}/etc/sudoers
+
+#
+# Log our finish
+#
+logMessage Script $0 finished
--
1.7.2
More information about the xen-tools-dev
mailing list