Opened 6 years ago

Closed 5 years ago

#82 closed defect (worksforme)

Credentials in rasdaman installed from an RPM

Reported by: mase@… Owned by: dmisev
Priority: major Milestone:
Component: RPM Version: 8.2
Keywords: Cc: pbaumann, mackoel@…
Complexity:

Description

Before opening up our machine to the outside world I was going to set some improved security like changing the default rasadmin passwords etc. I used the raspasswd utility and this changed the password temporarily but when restarting the rasmgr service:

  1. service rasmgr stop/restart/start commands don't work because the password is encoded in the /etc/init.d/rasmgr script. Therefore had to kill rasmgr process with kill command. How do we update the /etc/init.d/rasmgr script with a new password?
  2. When stopping rasmgr gives an error about not being able to write the authorization file /etcrasmgr.auth so it doesn't exist when restarting and the passwords are back to the default. Running raspasswd as root doesn't help (it doesn't seem to try to create the /etc/rasmgr.auth file at the time of running. I could try making /etc dir writable by non-root processes but this doesn't seem the right way to go. How should the rasadmin password be changed?

Anything else we should be aware of when updating the passwords? I notice the rasadmin password is in the default petascope settings file: does petascope really need this if we are just reading data?

Change History (4)

comment:1 Changed 6 years ago by dmisev

  • Cc mackoel@… added

comment:2 Changed 6 years ago by mackoel@…

  1. The file /etc/sysconfig/rasmgr is sourced at start of init script. Credentials can be set there in the form of RASADMIN=<rasadmin login>:<rasadmin password as md5 (or is not md5 but other hash?)>

If there is no such file it is to be created.

  1. I wasn't aware of /etc/rasmgr.auth. Can you please point me to appropriate docs?
  1. Why any non-root user needs to write to /etc ? The init script is meant to be run from root in the following way:

root# service rasmgr start

comment:3 Changed 6 years ago by mackoel@…

I found out about rasmgr.auth. It goes to the wrong place - the conf directory that rasdaman should not have write access to, as it doesn't configure itself. rasmgr.auth should go to rasdaman system user's home. So apart from CONFDIR in configure.ac another constant can be defined. But I think it's better to change the behaviour so that rasmgr will write to $HOME taken from the environment.

comment:4 Changed 5 years ago by pbaumann

  • Resolution set to worksforme
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.