2 Replies Latest reply on Feb 23, 2017 5:14 AM by Bernard Stern

    PRIV_RUNCMD sudo required only on Oracle Exadata hypervisor OVM

    Bernard Stern
      Share This:

      Hello Community

       

      To be able to discover the relations between a OVM Hypervisor on a Oracle Exadata box, we need to be able to sudo the command

       

      /usr/sbin/xm list --long

       

      In the TPL module, the command is run as

       

      PRIV_RUNCMD /usr/sbin/xm list --long

       

      When testing on a box while setting PRIV_RUNCMD = /usr/bin/sudo, we are able to gather the virtual hosts attached to this OVM.

      The problem is, the OS of the hypervisor is a linux flavour, so I'd need to change the linux.sh platform script PRIV_RUNCMD definition. Doing that, I'm afraid it would have negative impact on a whole lot of other discovery commands, since the PRIV_RUNCMD command is used is many (77) pattern modules. Chasing all these sudo definitions and maintaining these is not something I want to do. The alternative would be to hard-code /usr/bin/sudo /usr/sbin/xm list --long in the pattern.

       

      Does any one have similar issues, what is the experience of the community with this kind of issues? What would be BMC's recommendation?

       

      Thanks.

        • 1. Re: PRIV_RUNCMD sudo required only on Oracle Exadata hypervisor OVM
          Duncan Grisby

          In general, we would encourage you enable privileged execution of commands as widely as you can, because there are many useful pieces of information like this that you can only obtain as root.

           

          That said, if you want to carefully and slowly enable the use of PRIV_RUNCMD, you can easily set the definition of the shell function with some logic to only use sudo in selected circumstances. For example, to be really restrictive and only enable sudo for /usr/sbin/xm, you can define the function like this:

           

          PRIV_RUNCMD() {

            if [ $1 = "/usr/sbin/xm" ]; then

              /usr/bin/sudo "$@"

            else

              "$@"

            fi

          }

          2 of 2 people found this helpful
          • 2. Re: PRIV_RUNCMD sudo required only on Oracle Exadata hypervisor OVM
            Bernard Stern

            Hello Duncan

             

            Thanks for your comment. I understand that sudo for as many commands as possible is recommended, but operations and security want it as minimal as possible. So far we have been happy to only add /usr/bin/sudo to a selected few PRIV commands in the platform scripts.

             

            You are absolutely right, this is straightforward shell scripting! One tend to forget the obvious when seeing familiar stuff in a different view! Perhaps I should have downloaded the linux.sh script on a linux box! Your solution is exactly what I am going to use, no impact on other commands. Great!