Why does scidb user need sudo?


#1

Hi Experts,

In the documentation for preparing the system for SciDB installation, it says to create a user scidb and put it into sudoers. Just wondering why sudo NOPASSWD is needed for scidb user? When will the scidb user practice the sudoer privilege?

Not sure if this is the way sudo works, but I have a security concern for this. It’s also mentioned that all SciDB processes will be run as the scidb user, just like apache processes runs as apache user. But apache user can’t sudo to root, so if an apache process is compromised, it’s less destructive. However, if a SciDB process is compromised, it can do anything as root. Is that right?

Thanks for any hints or comments. Please correct me if I misunderstood.

-Yushu


#2

Hello, Yushu.

As far as I can recall, the sudo stuff is only used as part of installation and initialization. When we first initialize a Scidb config, we add a new Postgres user and database. And so to make things easier in our scripts we added some of steps like
sudo -u postgres psql -c “create database …”

I think that’s actually all that sudo is used for. Look at the file scidb-prepare-db.sh
Obviously, scidb also needs to be able to write to its data directory and temp partition, but you can just chown those things to the scidb user.

I have been working with a particular customer who raised this issue. To them, it was completely unacceptable for scidb to have sudoers access. They also had a non-default Postgres installation with different paths. So we made some changes to scidb-prepare-db.sh to accommodate. That works fine - except whenever we need to wipe and reload the data, we have to enter the postgres password.

Hope it helps.
– Alex Poliakov


#3

Thanks for your reply.
I’ll remove scidb from sudoers after scidb.py initdb

Thanks

-Yushu


#4

[quote=“apoliakov”]

As far as I can recall, the sudo stuff is only used as part of installation and initialization. When we first initialize a Scidb config, we add a new Postgres user and database. And so to make things easier in our scripts we added some of steps like
sudo -u postgres psql -c “create database …”

I think that’s actually all that sudo is used for.
– Alex Poliakov[/quote]

Is there a chance to be needed for this step of the procedure to build SciDB from source code (“How to Build, Install, and Test SciDB 15.7”)?

(as scidb)

[code]$ deployment/deploy.sh access root “” “” 192.168.1.8

spawn ssh -o StrictHostKeyChecking=no root@192.168.1.8 rm -rf /tmp/root/deployment && mkdir -p /tmp/root
Warning: Permanently added ‘192.168.1.8’ (ECDSA) to the list of known hosts.
root@192.168.1.8’s password:
Permission denied, please try again.
root@192.168.1.8’s password:
Permission denied, please try again.
root@192.168.1.8’s password:
Permission denied (publickey,password).[/code]

So this fails.
This works.

So I assumed scidb needs to be sudoer but command still fails even if it is.

What am I doing wrong please?

Thanks
Nick


#5

Alex is correct in that sudo and root are only used for building and installing.

As to building its worse than sudo.
The scripts are written to ssh AS ROOT to do root things (yum/apt-get, …).
For instance on Ubuntu the root account is not even enabled,
but for our build it needs to be enabled and you need to know the password.

Hopefully this will be changed for 15.12.

For now I can’t offer you any remediation.