Managing DomU as non root

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Managing DomU as non root

atatut
Hi,

OS: Gentoo linux-2.6.26-gentoo-r4
Xen: linux-2.6.18-xen-r12

I'm trying to use cgi shell scripts to allow different untrusted users to manage their own DomU without having root privileges.

The cgi shell script works, but of course whenever I try to run it from the web page I made, I receive the following message inside the apache/error.log:

Traceback (most recent call last):
  File "/usr/sbin/xm", line 8, in <module>
    from xen.xm import main
  File "usr/lib64/python2.5/site-packages/xen/xm/main.py", line 61, in <module>
xen.lowlevel.xc.Error: (1, 'Internal error', 'Could not obtain handle on privileged command interface (13 = Permission denied)')

This, of course, means I have no privilege to use the "xm" command using that specific user. I will have to do it through root, but I cannot add unable users to the root group, which is anyway not enough to allow xm to run, nor have apache running with root.

Is there a way to achieve this in a secure fashion? Here's what I'd like to achieve:

- create one DomU for each of my colleagues
- create one local user for each colleague on the dom0
- create a vhost inside apache using the specific local user for each different vhost
- allow only the specific user to execute cgi script "Restart/Stop/Start or whatever" for his specific domU

But the so-called security limitation of xen, preventing me to allow some other user but root to use the "xm" command is right now forcing me to adopt an unsecure schema by running apache with the root account which is suicidal. Sudo is not an option I think as xen wants specifically root to run the commands, if not mistaken.

Could someone help me clearing this out, I'm pretty sure I'm not the first to try that, but I couldn't find anything close to a solution googling.

Thanks folks!
Reply | Threaded
Open this post in threaded view
|

Re: Managing DomU as non root

atatut
PROBLEM SOLVED

I just added apache/or any other user to the sudoers then added the sudo command in front of my cgi script. This seems to have tricked the xend, so there's no need to have the xm command used as root.

It may not be the safest solution but it works.

Thanks,


atatut wrote
Hi,

OS: Gentoo linux-2.6.26-gentoo-r4
Xen: linux-2.6.18-xen-r12

I'm trying to use cgi shell scripts to allow different untrusted users to manage their own DomU without having root privileges.

The cgi shell script works, but of course whenever I try to run it from the web page I made, I receive the following message inside the apache/error.log:

Traceback (most recent call last):
  File "/usr/sbin/xm", line 8, in <module>
    from xen.xm import main
  File "usr/lib64/python2.5/site-packages/xen/xm/main.py", line 61, in <module>
xen.lowlevel.xc.Error: (1, 'Internal error', 'Could not obtain handle on privileged command interface (13 = Permission denied)')

This, of course, means I have no privilege to use the "xm" command using that specific user. I will have to do it through root, but I cannot add unable users to the root group, which is anyway not enough to allow xm to run, nor have apache running with root.

Is there a way to achieve this in a secure fashion? Here's what I'd like to achieve:

- create one DomU for each of my colleagues
- create one local user for each colleague on the dom0
- create a vhost inside apache using the specific local user for each different vhost
- allow only the specific user to execute cgi script "Restart/Stop/Start or whatever" for his specific domU

But the so-called security limitation of xen, preventing me to allow some other user but root to use the "xm" command is right now forcing me to adopt an unsecure schema by running apache with the root account which is suicidal. Sudo is not an option I think as xen wants specifically root to run the commands, if not mistaken.

Could someone help me clearing this out, I'm pretty sure I'm not the first to try that, but I couldn't find anything close to a solution googling.

Thanks folks!