Commit 59857b38 authored by Ryan Jackson's avatar Ryan Jackson
Browse files

XML-RPC: Run frisbeelauncher as root for subboss

Subbosses authenticate to the XML-RPC server as elabman, which means the
resulting server process runs as the elabman user.  Unfortunately, this
doesn't work well when the subboss wants to launch a frisbeed for an
image for which elabman doesn't have read permission (like images under
/proj).

To fix this, a setuid wrapper script is run instead of trying to run
frisbeelauncher directly.  This script makes sure the calling user is
elabman, and then becomes root and execs frisbee_launcher.
parent 44a0833c
......@@ -43,7 +43,8 @@ SBIN_STUFF = resetvlans console_setup.proxy sched_reload named_setup \
elabinelab snmpit.proxy panic node_attributes \
nfstrace plabinelab smbpasswd_setup smbpasswd_setup.proxy \
rmproj snmpit.proxynew snmpit.proxyv2 pool_daemon \
checknodes_daemon subboss_frisbeelauncher_wrapper
checknodes_daemon subboss_frisbeelauncher_wrapper \
subboss_wrapper
ifeq ($(ISMAINSITE),1)
SBIN_STUFF += repos_daemon
endif
......@@ -95,7 +96,8 @@ SETUID_BIN_SCRIPTS = node_reboot eventsys_control tarfiles_setup savelogs \
SETUID_SBIN_SCRIPTS = mkproj rmgroup mkgroup frisbeelauncher frisbeeimage \
rmuser idleswap named_setup exports_setup \
sfskey_update setgroups newnode_reboot vnode_setup \
elabinelab nfstrace rmproj subboss_frisbeelauncher_wrapper
elabinelab nfstrace rmproj subboss_frisbeelauncher_wrapper \
subboss_wrapper
SETUID_LIBX_SCRIPTS = console_setup spewlogfile
ifeq ($(SYSTEM),FreeBSD)
......@@ -233,6 +235,8 @@ endif
chmod u+s $(INSTALL_SBINDIR)/frisbeelauncher
chown root $(INSTALL_SBINDIR)/subboss_frisbeelauncher_wrapper
chmod u+s $(INSTALL_SBINDIR)/subboss_frisbeelauncher_wrapper
chown root $(INSTALL_SBINDIR)/subboss_wrapper
chmod u+s $(INSTALL_SBINDIR)/subboss_wrapper
chown root $(INSTALL_SBINDIR)/frisbeeimage
chmod u+s $(INSTALL_SBINDIR)/frisbeeimage
chown root $(INSTALL_SBINDIR)/rmuser
......
#!/usr/bin/perl -wT
#
# EMULAB-COPYRIGHT
# Copyright (c) 2009-2010 University of Utah and the Flux Group.
# All rights reserved.
#
use strict;
use English;
sub usage()
{
print "Usage: subboss_wrapper <command> [args]\n";
print "\n";
print "Valid commands:\n";
print " frisbee_launcher [args] Run frisbee_launcher with specified arugments\n";
print "\n";
exit(1);
}
sub fatal($) {
my($mesg) = $_[0];
die("*** $0:\n".
" $mesg\n");
}
my $TB = "@prefix@";
my $ELABMAN = "elabman";
my $FRISBEE_LAUNCHER = "$TB/sbin/frisbeelauncher";
use lib "@prefix@/lib";
use User;
# un-taint path
$ENV{'PATH'} = '/bin:/usr/bin:/usr/local/bin:/usr/site/bin';
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
#
# We do not want to run this script unless its the real version.
#
if ($EUID != 0) {
die("*** $0:\n".
" Must be setuid! Maybe its a development version?\n");
}
#
# We need this user for running below.
#
my $elabman = User->Lookup($ELABMAN);
if (!defined($elabman)) {
fatal("Could not lookup $ELABMAN user. Exiting ...");
}
if ($UID != $elabman->unix_uid()) {
die("Must be elabman to run this script\n");
}
# Switch to root
$UID = $EUID = 0;
usage() if (@ARGV == 0);
my $command = shift @ARGV;
if ($command eq 'frisbeelauncher') {
# Pass the argument list through as-is
my @args = map { /(.*)/; $1 } @ARGV;
exec $FRISBEE_LAUNCHER, @args;
} else {
fatal("Invalid command \"$command\"");
}
This diff is collapsed.
......@@ -4619,7 +4619,8 @@ class subboss:
# has permission to load the image in libosload so we don't need to
# check again in frisbeelauncher. Only a subboss can make this request
# anyway.
(exitval, output) = runcommand(TBDIR + "/sbin/wap " + TBDIR + "/sbin/frisbeelauncher " + argstr)
(exitval, output) = runcommand(TBDIR + "/sbin/subboss_wrapper frisbee_launcher " + argstr)
if exitval:
return EmulabResponse(RESPONSE_ERROR, exitval >> 8, output=output)
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment