git-server-git.apps.pok.os.sepia.ceph.com Git

author	John Mulligan <jmulligan@redhat.com>
	Wed, 14 Feb 2024 16:35:57 +0000 (11:35 -0500)
committer	Adam King <adking@redhat.com>
	Tue, 19 Mar 2024 19:39:58 +0000 (15:39 -0400)
commit	8f99a9781349ed81c51c2bcb22f3d4d6ddbfec3a
tree	03c76c8833253755f85ee0ac547e1c0f9dd0c9f8	tree \| snapshot
parent	997409c7c18baf2f883f2dc35f7a94d89e3e72f9	commit \| diff

mgr/cephadm: make remote command execution auditable

Update ssh.py and other code using it to only allow commands wrapped
in particular python types as executables on the remote hosts.
By using a specific type for remote executables we make the code more
auditable, avoiding the possibility of executing arbitrary strings
as commands with sudo. This is all enforced by mypy's type checking.

The result is a list of commands that the cephadm mgr module may
execute on a remote host using sudo:
```
$ git ls-files -z | xargs -0 grep 'RemoteExecutable(' -d skip -h | grep
-v '(str)' | sed -e 's/.*RemoteExecutable(//' -e 's/)//' -e 's/,$//'
'which'
'/usr/bin/cephadm'
python
'chmod'
'ls'
'sysctl'
'chown'
'mkdir'
'mv'
'touch'
'rm'
'true'
```
Note that *python* is special as it is based on the output of which and
may vary from OS to OS. The quoted items are used exactly as named.
Only the binary at `/usr/bin/cephadm` _or_ the dynamically discovered
python3 binary will be used. This depends on a configuration option for
the cephadm module.

Signed-off-by: John Mulligan <jmulligan@redhat.com>
(cherry picked from commit a811ef0d813570752aaffcf38dc18cc6778b72a9)

src/pybind/mgr/cephadm/offline_watcher.py		diff \| blob \| history
src/pybind/mgr/cephadm/serve.py		diff \| blob \| history
src/pybind/mgr/cephadm/ssh.py		diff \| blob \| history
src/pybind/mgr/cephadm/tests/test_tuned_profiles.py		diff \| blob \| history
src/pybind/mgr/cephadm/tuned_profiles.py		diff \| blob \| history