On Tue, Feb 9, 2010 at 5:19 PM, brett lentz <wakko666@xxxxxxxxx> wrote: > On Tue, Feb 9, 2010 at 1:57 PM, Javier Frias <jfrias@xxxxxxxxx> wrote: >> Greetings, >> >> So i've being doing some research on func, and well, it looks great. >> Certain a lot better than a lot of the wrappers around ssh i've had to >> code up every few years. But my worry is, it seems all commands are >> done root to root. What I meant by that, is that you need to need root >> on the func master, and all commands seem to be executed as root on >> each of the func aware nodes. >> >> There doesn't seem to be a way to restrict any usage of any part of >> func, once you are root on the func master. >> >> So my question is: Is there any way ( or thought, or work around, or >> future project ) to restrict usage of func modules per executing user? >> an internal acl of sorts? >> >> ( not setfacl -m u:MYUSER:rwx /var/lib/func, which is still basically, >> all or nothing access ) >> >> iow: >> yum_cmd can only be executed on hosts group "stage", by users on group >> "stage_access, >> some_other_module can only be executed on hosts group "prod", by users >> on group "prod_access" >> access to everything is only for users in group "wheel" >> >> I guess in a way, what am asking, is there a command line client that >> is separate from the func functions, by some sort of socket interface, >> instead of loading up root only readable libraries. >> >> Thanks, >> >> -Javier >> > > Javier - > > There currently isn't that level of granularity to func's permissions. > > Coming up with an interface that uses the func api and applies greater > privilege separation to the modules shouldn't be too difficult. > > Building a notion of authorization into Func itself will take more work. > > ---Brett > That what I feared... and since setuid <insert scripting language> is a bad idea, I would need to come up with another way to expose each of the modules and still have auth/group access control. Thanks for the quick reply, -Javier _______________________________________________ Func-list mailing list Func-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/func-list
