diff --git a/src/bosh_aws_cpi/bin/stemcell-copy b/src/bosh_aws_cpi/bin/stemcell-copy index 003442a9..57166e66 100755 --- a/src/bosh_aws_cpi/bin/stemcell-copy +++ b/src/bosh_aws_cpi/bin/stemcell-copy @@ -1,7 +1,8 @@ #!/bin/bash # -# The user running this script requires password-less sudo privileges -# to copy the disk image to the raw disk device +# This script runs as root through sudo without the need for a password, +# so it needs to make sure it can't be abused. +# set -euo pipefail @@ -22,4 +23,4 @@ if [[ ! -b ${OUTPUT_PATH} ]]; then fi # copy image to block device with 1 MB block size -tar -xzf ${IMAGE} -O root.img | sudo -n dd bs=1M of=${OUTPUT_PATH} +tar -xzf ${IMAGE} -O root.img | dd bs=1M of=${OUTPUT_PATH} diff --git a/src/bosh_aws_cpi/lib/cloud/aws/stemcell_creator.rb b/src/bosh_aws_cpi/lib/cloud/aws/stemcell_creator.rb index 593141cb..f42947f8 100644 --- a/src/bosh_aws_cpi/lib/cloud/aws/stemcell_creator.rb +++ b/src/bosh_aws_cpi/lib/cloud/aws/stemcell_creator.rb @@ -33,11 +33,12 @@ def create(volume, device_path, image_path) private - # This method tries to execute the helper script stemcell-copy. - # If stemcell-copy isn't available in the PATH, it falls back to - # an internal version that untars the stemcell and pipes it to `dd`. + # This method tries to execute the helper script stemcell-copy + # as root using sudo, since it needs to write to the device_path. + # If stemcell-copy isn't available, it falls back to writing directly + # to the device, which is used in the micro bosh deployer. # The stemcell-copy script must be in the PATH of the user running - # the script, and the user needs sudo privileges to execute without + # the director, and needs sudo privileges to execute without # password. # def copy_root_image @@ -47,11 +48,11 @@ def copy_root_image logger.debug('copying stemcell using stemcell-copy script') # note that is is a potentially dangerous operation, but as the # stemcell-copy script sets PATH to a sane value this is safe - command = "#{stemcell_copy} #{image_path} #{device_path} 2>&1" + command = "sudo -n #{stemcell_copy} #{image_path} #{device_path} 2>&1" else logger.info('falling back to using included copy stemcell') included_stemcell_copy = File.expand_path('../../../../bin/stemcell-copy', __FILE__) - command = "#{included_stemcell_copy} #{image_path} #{device_path} 2>&1" + command = "sudo -n #{included_stemcell_copy} #{image_path} #{device_path} 2>&1" end result = sh(command) diff --git a/src/bosh_aws_cpi/spec/unit/stemcell_creator_spec.rb b/src/bosh_aws_cpi/spec/unit/stemcell_creator_spec.rb index d83cc519..9c96e825 100644 --- a/src/bosh_aws_cpi/spec/unit/stemcell_creator_spec.rb +++ b/src/bosh_aws_cpi/spec/unit/stemcell_creator_spec.rb @@ -146,7 +146,7 @@ module Bosh::AwsCloud allow(creator).to receive(:find_in_path).and_return('/path/to/stemcell-copy') result = double('result', :output => 'output') - cmd = '/path/to/stemcell-copy /path/to/image /dev/volume 2>&1' + cmd = 'sudo -n /path/to/stemcell-copy /path/to/image /dev/volume 2>&1' expect(creator).to receive(:sh).with(cmd).and_return(result) creator.send(:copy_root_image) @@ -157,7 +157,7 @@ module Bosh::AwsCloud result = double('result', :output => 'output') stemcell_copy = File.expand_path('../../../../bosh_aws_cpi/bin/stemcell-copy', __FILE__) - cmd = "#{stemcell_copy} /path/to/image /dev/volume 2>&1" + cmd = "sudo -n #{stemcell_copy} /path/to/image /dev/volume 2>&1" expect(creator).to receive(:sh).with(cmd).and_return(result) creator.send(:copy_root_image)