Update to privileged helper


Macdonald, Mjmac
 

Hi all.

 

As of this morning, running as a non-root user with builds from the master branch (development branch for version 1.2) will require setup of the privileged helper (daos_admin). This change was made to complete the effort started with the introduction of the helper.

 

To summarize:

  • If you are running DAOS from RPM-based installs, then this setup has already been done for you and no further work is necessary
  • If you are running DAOS from source, and you always run as the root user, then the privileged helper will inherit those permissions and no further work is necessary
  • If you are running DAOS from source, and you want to run as a non-root user, then you will need to perform some manual setup steps on every server in order to ensure that the privileged helper has the correct permissions in order to perform privileged tasks

 

You’ll know that you need to perform these setup steps if you see an error like the following on daos_server startup:

ERROR: pbin: code = 2 description = "the privileged helper (/home/mjmac/daos/install/bin/daos_admin) does not have root permissions"

ERROR: pbin: code = 2 resolution = "check the DAOS admin guide for details on privileged helper setup"

 

Note: These setup steps do not necessarily need to be performed after every DAOS build. The privileged helper code is pretty stable at this point and doesn’t change very often.

 

Please refer to the DAOS Admin Guide for specifics on the setup steps: https://daos-stack.github.io/#admin/deployment/#elevated-privileges

 

Best,

mjmac


Ethan Mallove
 

If you are running DAOS from source, and you want to run as a non-root user, then you will need to perform some manual setup steps on every server in order to ensure that the privileged helper has the correct permissions in order to perform privileged tasks

What are the manual steps?  I tried using setuid and checking immutable bit, but I still get the privileged helper (daos_admin) does not have root permissions, e.g.,

# chmod u+s install/bin/daos_admin

$ ls -ltrd install/bin/daos_admin

-rwsrwxr-x 1 emallovx emallovx 21838880 Jul 13 18:54 install/bin/daos_admin

# chown -R root:root install/bin/daos_admin

 

chown: changing ownership of ‘install/bin/daos_admin’: Operation not permitted

$ lsattr daos_admin

lsattr: Inappropriate ioctl for device While reading flags on daos_admin


Regards,
Ethan


Nabarro, Tom
 

Try running the utils/setup_daos_admin.sh script as sudo.

 

The admin binary should be moved to /usr/bin/ with setuid.

Remove executable bit from install/bin/daos_admin.

These steps are performed by the script.

 

From: daos@daos.groups.io <daos@daos.groups.io> On Behalf Of Ethan Mallove
Sent: Tuesday, July 13, 2021 9:24 PM
To: daos@daos.groups.io
Subject: Re: [daos] Update to privileged helper

 

If you are running DAOS from source, and you want to run as a non-root user, then you will need to perform some manual setup steps on every server in order to ensure that the privileged helper has the correct permissions in order to perform privileged tasks

What are the manual steps?  I tried using setuid and checking immutable bit, but I still get the privileged helper (daos_admin) does not have root permissions, e.g.,

# chmod u+s install/bin/daos_admin

$ ls -ltrd install/bin/daos_admin

-rwsrwxr-x 1 emallovx emallovx 21838880 Jul 13 18:54 install/bin/daos_admin

# chown -R root:root install/bin/daos_admin

 

chown: changing ownership of ‘install/bin/daos_admin’: Operation not permitted

$ lsattr daos_admin

lsattr: Inappropriate ioctl for device While reading flags on daos_admin


Regards,
Ethan