|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] console access to non root xen 3.0
On Wed, Apr 05, 2006 at 10:19:11AM -0400, Steve Brueckner wrote: > the user permission to execute 'xm console'. For access to a specific domU > you'd also need to use a separate domU config file for that domain, and give > the user additional sudo access to execute 'xm list.' Then you can write a > little script the user can execute (but not write!) that will list running > domU's, grep the results for the custom config file name, and awk the output > line for that domain's Id. Finally, the script would call 'xm console > <id>'. Ick! No. Just give them sudo access to run /usr/sbin/xm console <their name>. There's no need to parse the output of xm list. As part of my domain setup script I have echo "$1 ALL=NOPASSWD:/usr/sbin/xm console $1, /usr/sbin/xm create -c /etc/xen/hosted/$1, /usr/sbin/xm destroy $1, /usr/sbin/reimage-dom $1 ?" >> /etc/sudoers where reimage-dom is a script that unpacks a fresh tarball onto their filesytem. Their shell is then set to a custom shell script which provides a menu interface to let them run these commands, and these only. Don't ever let users onto a dom0 machine unless you want them to have effective root onto all machines. The stakes are too high. Cheers, Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |