Hi Experts,
In the documentation for preparing the system for SciDB installation, it says to create a user scidb and put it into sudoers. Just wondering why sudo NOPASSWD is needed for scidb user? When will the scidb user practice the sudoer privilege?
Not sure if this is the way sudo works, but I have a security concern for this. It's also mentioned that all SciDB processes will be run as the scidb user, just like apache processes runs as apache user. But apache user can't sudo to root, so if an apache process is compromised, it's less destructive. However, if a SciDB process is compromised, it can do anything as root. Is that right?
Thanks for any hints or comments. Please correct me if I misunderstood.
-Yushu
Why does scidb user need sudo?
3 posts
• Page 1 of 1
Why does scidb user need sudo?
by dvoraky » Fri Mar 09, 2012 1:39 pm
- dvoraky
- Posts: 19
- Joined: Mon Nov 28, 2011 5:55 pm
Re: Why does scidb user need sudo?
by apoliakov » Fri Mar 09, 2012 2:03 pm
Hello, Yushu.
As far as I can recall, the sudo stuff is only used as part of installation and initialization. When we first initialize a Scidb config, we add a new Postgres user and database. And so to make things easier in our scripts we added some of steps like
sudo -u postgres psql -c "create database ..."
I think that's actually all that sudo is used for. Look at the file scidb-prepare-db.sh
Obviously, scidb also needs to be able to write to its data directory and temp partition, but you can just chown those things to the scidb user.
I have been working with a particular customer who raised this issue. To them, it was completely unacceptable for scidb to have sudoers access. They also had a non-default Postgres installation with different paths. So we made some changes to scidb-prepare-db.sh to accommodate. That works fine - except whenever we need to wipe and reload the data, we have to enter the postgres password.
Hope it helps.
-- Alex Poliakov
As far as I can recall, the sudo stuff is only used as part of installation and initialization. When we first initialize a Scidb config, we add a new Postgres user and database. And so to make things easier in our scripts we added some of steps like
sudo -u postgres psql -c "create database ..."
I think that's actually all that sudo is used for. Look at the file scidb-prepare-db.sh
Obviously, scidb also needs to be able to write to its data directory and temp partition, but you can just chown those things to the scidb user.
I have been working with a particular customer who raised this issue. To them, it was completely unacceptable for scidb to have sudoers access. They also had a non-default Postgres installation with different paths. So we made some changes to scidb-prepare-db.sh to accommodate. That works fine - except whenever we need to wipe and reload the data, we have to enter the postgres password.
Hope it helps.
-- Alex Poliakov
- apoliakov
- Site Admin
- Posts: 245
- Joined: Wed Nov 03, 2010 2:46 pm
Re: Why does scidb user need sudo?
by dvoraky » Tue Mar 13, 2012 6:37 pm
Thanks for your reply.
I'll remove scidb from sudoers after scidb.py initdb
Thanks
-Yushu
I'll remove scidb from sudoers after scidb.py initdb
Thanks
-Yushu
- dvoraky
- Posts: 19
- Joined: Mon Nov 28, 2011 5:55 pm
3 posts
• Page 1 of 1
Return to SciDB Support and Discussion
Who is online
Users browsing this forum: Google [Bot] and 0 guests