git.apps.os.sepia.ceph.com Git

author	John Mulligan <jmulligan@redhat.com>
	Wed, 14 Feb 2024 16:35:57 +0000 (11:35 -0500)
committer	John Mulligan <jmulligan@redhat.com>
	Sun, 17 Mar 2024 15:23:04 +0000 (11:23 -0400)
commit	a811ef0d813570752aaffcf38dc18cc6778b72a9
tree	9701b8100037f42bb123b11ea9b71d7a989dc0fc	tree \| snapshot
parent	105b50493ad5d1272aa910c93a57745d39c4941c	commit \| diff

mgr/cephadm: make remote command execution auditable

Update ssh.py and other code using it to only allow commands wrapped
in particular python types as executables on the remote hosts.
By using a specific type for remote executables we make the code more
auditable, avoiding the possibility of executing arbitrary strings
as commands with sudo. This is all enforced by mypy's type checking.

The result is a list of commands that the cephadm mgr module may
execute on a remote host using sudo:
```
$ git ls-files -z | xargs -0 grep 'RemoteExecutable(' -d skip -h | grep
-v '(str)' | sed -e 's/.*RemoteExecutable(//' -e 's/)//' -e 's/,$//'
'which'
'/usr/bin/cephadm'
python
'chmod'
'ls'
'sysctl'
'chown'
'mkdir'
'mv'
'touch'
'rm'
'true'
```
Note that *python* is special as it is based on the output of which and
may vary from OS to OS. The quoted items are used exactly as named.
Only the binary at `/usr/bin/cephadm` _or_ the dynamically discovered
python3 binary will be used. This depends on a configuration option for
the cephadm module.

Signed-off-by: John Mulligan <jmulligan@redhat.com>

src/pybind/mgr/cephadm/offline_watcher.py		diff \| blob \| history
src/pybind/mgr/cephadm/serve.py		diff \| blob \| history
src/pybind/mgr/cephadm/ssh.py		diff \| blob \| history
src/pybind/mgr/cephadm/tests/test_tuned_profiles.py		diff \| blob \| history
src/pybind/mgr/cephadm/tuned_profiles.py		diff \| blob \| history