WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] console access to non root xen 3.0

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] console access to non root xen 3.0
From: Dominic Hargreaves <dom@xxxxxxxx>
Date: Wed, 5 Apr 2006 16:12:55 +0100
Delivery-date: Wed, 05 Apr 2006 08:13:22 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <60D45469A1AAD311A04C009027B6BF6805E3873D@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <60D45469A1AAD311A04C009027B6BF6805E3873D@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.5.9i
On Wed, Apr 05, 2006 at 10:19:11AM -0400, Steve Brueckner wrote:

> the user permission to execute 'xm console'.  For access to a specific domU
> you'd also need to use a separate domU config file for that domain, and give
> the user additional sudo access to execute 'xm list.'  Then you can write a
> little script the user can execute (but not write!) that will list running
> domU's, grep the results for the custom config file name, and awk the output
> line for that domain's Id.  Finally, the script would call 'xm console
> <id>'.

Ick! No.

Just give them sudo access to run /usr/sbin/xm console <their name>.
There's no need to parse the output of xm list.

As part of my domain setup script I have

echo "$1 ALL=NOPASSWD:/usr/sbin/xm console $1, /usr/sbin/xm create -c 
/etc/xen/hosted/$1, /usr/sbin/xm destroy $1, /usr/sbin/reimage-dom $1 ?" >> 
/etc/sudoers

where reimage-dom is a script that unpacks a fresh tarball onto their
filesytem. Their shell is then set to a custom shell script which
provides a menu interface to let them run these commands, and these
only.

Don't ever let users onto a dom0 machine unless you want them to have
effective root onto all machines. The stakes are too high.

Cheers,

Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>