Revert "sudo the one executable, not the entire script"

We've decided to go in another direction - the script itself will continue to be run with sudo. The change we are reverting does not work. There is code that configures the vcap user to be able to run the stemcell-copy script. If the sudo happens inside of the stemcell-copy script instead, it would require us to allow password-less sudo of `dd`, which is a less secure configuration. This reverts commit 328f0b4. This reverts commit 7e83b93.
cloudfoundry · Apr 8, 2021 · b87ac15 · b87ac15
1 parent 68cc509
commit b87ac15
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 11 deletions.
diff --git a/src/bosh_aws_cpi/bin/stemcell-copy b/src/bosh_aws_cpi/bin/stemcell-copy
@@ -1,7 +1,8 @@
 #!/bin/bash
 #
-# The user running this script requires password-less sudo privileges
-# to copy the disk image to the raw disk device
+# This script runs as root through sudo without the need for a password,
+# so it needs to make sure it can't be abused.
+#
 
 set -euo pipefail
 
@@ -22,4 +23,4 @@ if [[ ! -b ${OUTPUT_PATH} ]]; then
 fi
 
 # copy image to block device with 1 MB block size
-tar -xzf ${IMAGE} -O root.img | sudo -n dd bs=1M of=${OUTPUT_PATH}
+tar -xzf ${IMAGE} -O root.img | dd bs=1M of=${OUTPUT_PATH}
diff --git a/src/bosh_aws_cpi/lib/cloud/aws/stemcell_creator.rb b/src/bosh_aws_cpi/lib/cloud/aws/stemcell_creator.rb
@@ -33,11 +33,12 @@ def create(volume, device_path, image_path)
 
     private
 
-    # This method tries to execute the helper script stemcell-copy.
-    # If stemcell-copy isn't available in the PATH, it falls back to
-    # an internal version that untars the stemcell and pipes it to `dd`.
+    # This method tries to execute the helper script stemcell-copy
+    # as root using sudo, since it needs to write to the device_path.
+    # If stemcell-copy isn't available, it falls back to writing directly
+    # to the device, which is used in the micro bosh deployer.
     # The stemcell-copy script must be in the PATH of the user running
-    # the script, and the user needs sudo privileges to execute without
+    # the director, and needs sudo privileges to execute without
     # password.
     #
     def copy_root_image
@@ -47,11 +48,11 @@ def copy_root_image
         logger.debug('copying stemcell using stemcell-copy script')
         # note that is is a potentially dangerous operation, but as the
         # stemcell-copy script sets PATH to a sane value this is safe
-        command = "#{stemcell_copy} #{image_path} #{device_path} 2>&1"
+        command = "sudo -n #{stemcell_copy} #{image_path} #{device_path} 2>&1"
       else
         logger.info('falling back to using included copy stemcell')
         included_stemcell_copy = File.expand_path('../../../../bin/stemcell-copy', __FILE__)
-        command = "#{included_stemcell_copy} #{image_path} #{device_path} 2>&1"
+        command = "sudo -n #{included_stemcell_copy} #{image_path} #{device_path} 2>&1"
       end
 
       result = sh(command)

diff --git a/src/bosh_aws_cpi/spec/unit/stemcell_creator_spec.rb b/src/bosh_aws_cpi/spec/unit/stemcell_creator_spec.rb
@@ -146,7 +146,7 @@ module Bosh::AwsCloud
         allow(creator).to receive(:find_in_path).and_return('/path/to/stemcell-copy')
         result = double('result', :output => 'output')
 
-        cmd = '/path/to/stemcell-copy /path/to/image /dev/volume 2>&1'
+        cmd = 'sudo -n /path/to/stemcell-copy /path/to/image /dev/volume 2>&1'
         expect(creator).to receive(:sh).with(cmd).and_return(result)
 
         creator.send(:copy_root_image)
@@ -157,7 +157,7 @@ module Bosh::AwsCloud
         result = double('result', :output => 'output')
 
         stemcell_copy = File.expand_path('../../../../bosh_aws_cpi/bin/stemcell-copy', __FILE__)
-        cmd = "#{stemcell_copy} /path/to/image /dev/volume 2>&1"
+        cmd = "sudo -n #{stemcell_copy} /path/to/image /dev/volume 2>&1"
         expect(creator).to receive(:sh).with(cmd).and_return(result)
 
         creator.send(:copy_root_image)