[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] console access to non root xen 3.0


  • To: xen-users@xxxxxxxxxxxxxxxxxxx
  • From: Dominic Hargreaves <dom@xxxxxxxx>
  • Date: Wed, 5 Apr 2006 16:12:55 +0100
  • Delivery-date: Wed, 05 Apr 2006 08:13:22 -0700
  • List-id: Xen user discussion <xen-users.lists.xensource.com>

On Wed, Apr 05, 2006 at 10:19:11AM -0400, Steve Brueckner wrote:

> the user permission to execute 'xm console'.  For access to a specific domU
> you'd also need to use a separate domU config file for that domain, and give
> the user additional sudo access to execute 'xm list.'  Then you can write a
> little script the user can execute (but not write!) that will list running
> domU's, grep the results for the custom config file name, and awk the output
> line for that domain's Id.  Finally, the script would call 'xm console
> <id>'.

Ick! No.

Just give them sudo access to run /usr/sbin/xm console <their name>.
There's no need to parse the output of xm list.

As part of my domain setup script I have

echo "$1 ALL=NOPASSWD:/usr/sbin/xm console $1, /usr/sbin/xm create -c 
/etc/xen/hosted/$1, /usr/sbin/xm destroy $1, /usr/sbin/reimage-dom $1 ?" >> 
/etc/sudoers

where reimage-dom is a script that unpacks a fresh tarball onto their
filesytem. Their shell is then set to a custom shell script which
provides a menu interface to let them run these commands, and these
only.

Don't ever let users onto a dom0 machine unless you want them to have
effective root onto all machines. The stakes are too high.

Cheers,

Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.