Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove hardcodes password for sudoer postscript #6166

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Remove hardcodes password for sudoer postscript #6166

wants to merge 1 commit into from

Conversation

cxhong
Copy link
Contributor

@cxhong cxhong commented Mar 25, 2019

The PR is to fix issue #5115

The modification include

##Remove hardcodes username and password for sudoer
-##User needs to pass in arguments for sudoer username and password

The UT result

##The UT output##

# updatenode mid08tor03cn01 -P sudoer
mid08tor03cn01: =============updatenode starting====================
mid08tor03cn01: trying to download postscripts...
mid08tor03cn01: postscripts downloaded successfully
mid08tor03cn01: trying to get mypostscript from 172.20.254.2...
mid08tor03cn01: postscript start..: sudoer
mid08tor03cn01:
mid08tor03cn01: Usage: ./sudoer -u username -p password
mid08tor03cn01:         -u sudoer user name
mid08tor03cn01:         -p sudoer password
mid08tor03cn01: postscript end....: sudoer exited with code 1
mid08tor03cn01: Running of postscripts has completed.
mid08tor03cn01: =============updatenode ending====================


# updatenode mid08tor03cn01 -P "sudoer -u xcat2 -p rootpw"
mid08tor03cn01: =============updatenode starting====================
mid08tor03cn01: trying to download postscripts...
mid08tor03cn01: postscripts downloaded successfully
mid08tor03cn01: trying to get mypostscript from 172.20.254.2...
mid08tor03cn01: postscript start..: sudoer
mid08tor03cn01: postscript end....: sudoer exited with code 0
mid08tor03cn01: Running of postscripts has completed.
mid08tor03cn01: =============updatenode ending====================

[root@boston02 ~]# ssh xcat2@mid08tor03cn01
xcat2@mid08tor03cn01's password:
[xcat2@mid08tor03cn01 ~]$ pwd
/home/xcat2

@cxhong cxhong added this to the 2.15 milestone Mar 25, 2019
@cxhong cxhong requested a review from immarvin March 25, 2019 17:36
immarvin
immarvin reviewed Mar 26, 2019
View reviewed changes
xCAT/postscripts/sudoer
esac
done

if [ -z "$SUDOER" ] || [ -z $SUDOERPW ]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggest $SUDOER and $SUDOERPW be set to default value if not specified to keep backward compatibility

neo954
neo954 suggested changes Mar 26, 2019
View reviewed changes
Copy link
Contributor

@neo954 neo954 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't like the idea of using command line argument to pass the password. This idea is even worse than hard code the password. I list some of the reasons below.

  • User might need to run something like chdef mid08tor03cn01 -p 'postscripts=sudoer -u xcat2 -p rootpw' to make it works. It is complex.
  • It use to have a single place to change the default password. Now it is scattered to node attribute across different compute nodes.
  • Passing password with command line argument is insecure. The command line argument can be read by ps ax.

@cxhong
Copy link
Contributor Author

cxhong commented Mar 26, 2019
edited
Loading

@neo954 , any suggestion which method will be better? I think we should support different sudoer so can't define in the site table, or passwd table, or node attributes. can we prompt the command and ask for user input? I think another options is reading user/password from a file.

@besawn besawn assigned besawn and unassigned immarvin Aug 29, 2019
@gurevichmark gurevichmark modified the milestones: 2.15, 2.15.1 Nov 12, 2019
@cxhong cxhong closed this Nov 12, 2019
@cxhong cxhong deleted the 5115 branch November 12, 2019 20:37
@cxhong cxhong restored the 5115 branch November 13, 2019 14:37
@cxhong cxhong reopened this Nov 13, 2019
@gurevichmark gurevichmark modified the milestones: 2.15.1, 2.16.1 Jun 4, 2020
@besawn besawn modified the milestones: 2.16.1, 2.16.2 Oct 27, 2020
@peterwywong peterwywong removed this from the 2.16.2 milestone May 17, 2021
@CLAassistant
Copy link

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@immarvin immarvin immarvin left review comments

@neo954 neo954 neo954 requested changes

At least 1 approving review is required to merge this pull request.

Assignees

@besawn besawn

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@cxhong @CLAassistant @immarvin @neo954 @gurevichmark @besawn @peterwywong