在代码中我们常常需要在普通用户下以root用户免密码运行一些命令,例如:
sudo neutron-rootwrap /etc/neutron/rootwrap.conf ip netns exec qrouter-d5943aab-4110-4856-bfd5-fb6cea4ee09b neutron-netns-wrapper --mount_paths=/etc:/tmp/tmpdQuMgD/tmpCKrcBq/ipsec/d5943aab-4110-4856-bfd5-fb6cea4ee09b/etc,/var/run:/tmp/tmpdQuMgD/tmpCKrcBq/ipsec/d5943aab-4110-4856-bfd5-fb6cea4ee09b/var/run --cmd=ipsec,status
Neutron是这样实现的,首先它定义了一个sudoer文件。
$ sudo cat /etc/sudoers.d/neutron-rootwrap
hua ALL=(root) NOPASSWD: /usr/local/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *
在/etc/neutron/rootwrap.conf文件中定义了filters_path参数指明哪个目录下列举的命令需要以root执行:
filters_path=/etc/neutron/rootwrap.d
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin
定义命令的格式是:
cmd-name: filter-name, raw-command, user, args
其中,命令过滤器有如下7种:
RegExpFilter, 例如允许运行带有3个参数且前两个参数是-b和-t的tunctl命令:
tunctl: /usr/sbin/tunctl, root, tunctl, -b, -t, .*
PathFilter, 例如允许将/var/lib/images目录下的任何文件chown给nova用户:
chown: PathFilter, /bin/chown, root, nova, /var/lib/images
EnvFilter, 例如允许加环境变量CONFIG_FILE与NETWORK_ID来运行dnsmasq命令 dnsmasq: EnvFilter, env, root, CONFIG_FILE=, NETWORK_ID=, dnsmasq
ReadFileFilter, 例如允许执行cat /etc/iscsi/initiatorname.iscsi
read_initiator: ReadFileFilter, /etc/iscsi/initiatorname.iscsi
KillFilter, 例如允许对dnsmasq进程发-9或-HUP信号
kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP
IpFilter, 例如允许运行任何ip命令,除了 ip netns exec and ip netns monitor
ip: IpFilter, ip, root
IpNetnsExecFilter, 例如允许运行命令ip netns exec <namespace> <command>
ip: IpNetnsExecFilter, ip, root
CommandFilter, 例如允许以root用户运行kpartx命令
kpartx: CommandFilter, kpartx, root
sudo neutron-rootwrap /etc/neutron/rootwrap.conf ip netns exec qrouter-d5943aab-4110-4856-bfd5-fb6cea4ee09b neutron-netns-wrapper --mount_paths=/etc:/tmp/tmpdQuMgD/tmpCKrcBq/ipsec/d5943aab-4110-4856-bfd5-fb6cea4ee09b/etc,/var/run:/tmp/tmpdQuMgD/tmpCKrcBq/ipsec/d5943aab-4110-4856-bfd5-fb6cea4ee09b/var/run --cmd=ipsec,status
Neutron是这样实现的,首先它定义了一个sudoer文件。
$ sudo cat /etc/sudoers.d/neutron-rootwrap
hua ALL=(root) NOPASSWD: /usr/local/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *
在/etc/neutron/rootwrap.conf文件中定义了filters_path参数指明哪个目录下列举的命令需要以root执行:
filters_path=/etc/neutron/rootwrap.d
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin
定义命令的格式是:
cmd-name: filter-name, raw-command, user, args
其中,命令过滤器有如下7种:
RegExpFilter, 例如允许运行带有3个参数且前两个参数是-b和-t的tunctl命令:
tunctl: /usr/sbin/tunctl, root, tunctl, -b, -t, .*
PathFilter, 例如允许将/var/lib/images目录下的任何文件chown给nova用户:
chown: PathFilter, /bin/chown, root, nova, /var/lib/images
EnvFilter, 例如允许加环境变量CONFIG_FILE与NETWORK_ID来运行dnsmasq命令 dnsmasq: EnvFilter, env, root, CONFIG_FILE=, NETWORK_ID=, dnsmasq
ReadFileFilter, 例如允许执行cat /etc/iscsi/initiatorname.iscsi
read_initiator: ReadFileFilter, /etc/iscsi/initiatorname.iscsi
KillFilter, 例如允许对dnsmasq进程发-9或-HUP信号
kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP
IpFilter, 例如允许运行任何ip命令,除了 ip netns exec and ip netns monitor
ip: IpFilter, ip, root
IpNetnsExecFilter, 例如允许运行命令ip netns exec <namespace> <command>
ip: IpNetnsExecFilter, ip, root
CommandFilter, 例如允许以root用户运行kpartx命令
kpartx: CommandFilter, kpartx, root