On Tue, 12 Nov 2019, Gregory Farnum wrote: > This is just a specific instance of a generalized problem, right? If > the Ceph cluster has the ability to update itself, then anybody who > pwns it can update to arbitrary code and do whatever they want. The Yeah, exactly. I think we just have two modes, then: (1) the root key one that's implemented now for maximum ease of use, seamless upgrades, etc., and then (2) a more paranoid mode where 1- admin is responsible for ceph-daemon being installed and/or upgraded when necessary. 2- ceph-daemon package creates a cephdaemon user and sudoers.d file 3- mgr/ssh has a mode=... setting and/or user=... setting 4- node addition instructions have the paranoid edition where the ssh key is put in cephdaemon user's (instead of root's) authorized_keys file sage _______________________________________________ Dev mailing list -- dev@xxxxxxx To unsubscribe send an email to dev-leave@xxxxxxx
