VMware Cloud Community
johnswb
Enthusiast
Enthusiast
‎06-26-2008 07:04 AM
Jump to solution

Configuring Access to an ESX server

I have a few users that I've put in a group on the host and would like to give access to a ESX Server via SSH and to one of the LUN's on the host.

I know I can grant ssh access "chmod 777 /vmfs/volumes/LUN"

Can anyone tell me the best way to go by this, or is this it?

Will Johnson VCP on VI3 / VI4 vSphere 5
0 Kudos
1 Solution

Accepted Solutions
Texiwill
Leadership
Leadership
‎06-27-2008 10:33 AM
Jump to solution

Hello,

Well, it is not really possible. To do that you would need to setup restricted shell access (which will not allow the changing of directories, etc.) However restricted shell is not part of ESX. It could be added.... But then you need to give them access to the commands, etc. Restricted shell via SSH is actually a real pain to setup. I would just not give them SSH access. They do not have the 'need to know', etc.

If they are going to use the VIC will they be connecting to the VC Server? If so, then there is NOthing you can do on the ESX host that will control the access that has to LUNs.

If its VIC to Host, then they are missing out on quite a bit of functionality. However, it is possible to allow them VIC access but NOT SSH access. Frankly that is the way I would do things. VIC to Host access will allow them to create VMs only in the locations they have write access. Which is pretty much that one directory.

You could use groups...

mkdir /vmfs/volumes/LUN/directory
chmod 770 /vmfs/volumes/LUN/directory
chown root /vmfs/volumes/LUN/directory
chgrp groupname /vmfs/volumes/LUN/directory

I would definitely test this however as VIC has some very strange access features. Also, if they do VIC to Host then they can only see that one host and no others. So this may be of limited functionality in your environment.

A different solution would be to use the VMware Lifecycle Manager or even the VMware Lab Manager. They may provide the control you desire. I am unsure if they do or not. The problem is that the granularity you desire for Roles and Permissions just do not exist yet. We have asked for them but nothing forthcoming yet.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

View solution in original post

0 Kudos
5 Replies
Texiwill
Leadership
Leadership
‎06-26-2008 11:48 AM
Jump to solution

Hello,

Moved to Security and Compliance forum.

Well changing permissions on /vmfs does not always give you the results you desire. Remember LUN names are provided by the vmkernel.

However, the key thing is to understand how the user will use that LUN. If its all through the CLI, not recommended, then they have access to quite a bit of information they should not see, and could inadvertently even get the root password if you are not careful. Or even access to other VMs.

Unfortunately what you really need is ACLs and ACLs do not work very well on /vmfs.

How will they create the VMs? Via the VIC to VC connection? If so permissions on the ESX server are not all that meaningful. If it is VIC to Host then they may mean something.

Your best bet is to create a directory under /vmfs/volumes/LUN and set the permissions on that directory to allow that user write access by changing the ownership of the directory. I would not make a directory world read and writable as you have setup. I.e:

mkdir /vmfs/volumes/LUN/directory

chown username /vmfs/volumes/LUN/directory

This will only affect the user if they are using VIC to Host or the CLI.

Do you want them to access the LUN to create VMs? If so how did you intend to let that happen.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
johnswb
Enthusiast
Enthusiast
‎06-27-2008 07:52 AM
Jump to solution

Texiwill, thank you for moving this to the correct forum location.

The group of users will have access to build VM's via VIC, I really don't have a problem letting them have ssh access as long as I can lock them down to that one directory on the LUN. I'm guessing you're suggestion should do the trick? Also, do I have to do the following by user or can I do it by group?

mkdir /vmfs/volumes/LUN/directory

chown username /vmfs/volumes/LUN/directory

I guess the real question is: how can I restrict them to the one location when they access the server via ssh? Or, is that not possible?

Thank you very much for the reply.

Will Johnson VCP on VI3 / VI4 vSphere 5
0 Kudos
Texiwill
Leadership
Leadership
‎06-27-2008 10:33 AM
Jump to solution

Hello,

Well, it is not really possible. To do that you would need to setup restricted shell access (which will not allow the changing of directories, etc.) However restricted shell is not part of ESX. It could be added.... But then you need to give them access to the commands, etc. Restricted shell via SSH is actually a real pain to setup. I would just not give them SSH access. They do not have the 'need to know', etc.

If they are going to use the VIC will they be connecting to the VC Server? If so, then there is NOthing you can do on the ESX host that will control the access that has to LUNs.

If its VIC to Host, then they are missing out on quite a bit of functionality. However, it is possible to allow them VIC access but NOT SSH access. Frankly that is the way I would do things. VIC to Host access will allow them to create VMs only in the locations they have write access. Which is pretty much that one directory.

You could use groups...

mkdir /vmfs/volumes/LUN/directory
chmod 770 /vmfs/volumes/LUN/directory
chown root /vmfs/volumes/LUN/directory
chgrp groupname /vmfs/volumes/LUN/directory

I would definitely test this however as VIC has some very strange access features. Also, if they do VIC to Host then they can only see that one host and no others. So this may be of limited functionality in your environment.

A different solution would be to use the VMware Lifecycle Manager or even the VMware Lab Manager. They may provide the control you desire. I am unsure if they do or not. The problem is that the granularity you desire for Roles and Permissions just do not exist yet. We have asked for them but nothing forthcoming yet.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
johnswb
Enthusiast
Enthusiast
‎07-16-2008 01:37 PM
Jump to solution

Thank you for the help, this really helps a lot. I have one more question. How can I configure the host to direct the group of users to one location?

For example: The sign in and doing "ls" they are already in the follwoing location

chgrp groupname /vmfs/volumes/LUN/directory

I guess what I'm asking is how to set this as the home drive for each one in the group?

I will try and google the answer myself...

Again thanks for the help.

Will Johnson VCP on VI3 / VI4 vSphere 5
0 Kudos
Texiwill
Leadership
Leadership
‎07-16-2008 02:26 PM
Jump to solution

Hello,

The only way to do this would be to enable restricted shell... if you do

ln -s /bin/bash /bin/rbash
echo "/bin/rbash" >> /etc/shells

Then you can assign users the shell of rbash. Which is the restricted shell. You should read the manual page for bash as restricted shells have some serious caveats. To get to the appropriate location do.

man bash
/RESTRICTED SHELLS
nnnn

When I use restricted shell I setup a set of paths that are something like /usr/local/restricted to which I symlink the commands they can issue. So for example, you want them to have access to just ls? do

mkdir /usr/local/restricted
ln -s /bin/ls /usr/local/restricted

Then make that the default path for the user. restricted shells can be good, or bad, but they can be easy to misconfigure to give more access than you want. You do not want to give them write access to anything on the /vmfs. Basically to restrict their ls they need to have their home directory set to a that VMFS location. If they create any files or do anything like that they will cause scsi reservation conflicts and that is really really bad.

However, I think this is a VERY bad idea. You should not need to give them shell access to the system. They should have NO NEED to have that level of access.

So the big question is what are you trying to allow them to do? And is there another way to achieve this. In order to manipulate anything on the VMFS they need access to a number of vmware specific tools, etc. Which generally requires root access to use.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos