[PVE-User] ceph.conf permissions

James Bailey jim at freesolutions.net
Thu Mar 10 11:49:06 CET 2016


On 2016-03-10 10:30, Florent B wrote:
> On 03/10/2016 11:25 AM, Alessandro Briosi wrote:
>> Il 10/03/2016 11:11, Florent B ha scritto:
>>> Hi everyone,
>>>
>>> I think there's a little problem with ceph.conf permissions on 
>>> Proxmox.
>>>
>>> With Infernalis release, all ceph processes are running under 
>>> "ceph" user.
>>>
>>> root user starts processes, then changes user to ceph. All is fine.
>>>
>>> But problem occur when a ceph process needs to respawn itself after 
>>> some
>>> time. ceph user is respawning and cannot read ceph.conf anymore.
>>> That's the case for MDS processes for example.
>>>
>>> Permissions of ceph.conf file are
>>>
>>> # ls -alh /etc/pve/ceph.conf
>>> -rw-r----- 1 root www-data 3.6K Mar  8 12:35 /etc/pve/ceph.conf
>>>
>>> And cannot change that
>>>
>>> # chmod o+r /etc/pve/ceph.conf
>>> chmod: changing permissions of ‘/etc/pve/ceph.conf’: Function not
>>> implemented
>>>
>>> How can Proxmox handle this situation ?
>> Why not simply add ceph user to www-data group.
>>
>> Or can it be in some way a security issue?
>>
>> Alessandro
>>
>
> Hi Alessandro,
>
> Yes that's one of the solutions, I just wanted to know if someone had
> other ideas :)
> I don't think that could be a great security issue..

You could use extended ACLs to allow the ceph user read access to that 
file only.

https://wiki.debian.org/Permissions#Access_Control_Lists_in_Linux

Regards Jim



More information about the pve-user mailing list