zVM Cloud Connector

MAINT is possible as Guest

Bug #1817568 reported by Herald ten Dam on 2019-02-25

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	zVM Cloud Connector	Triaged	High	Shu Juan Zhang	zVM Cloud Connector future

Bug Description

Hi,

I can register the user MAINT as a guest through the REGISTER_VM action for a guest. I think (but I did not try) it is also now possible to delete this guest. But that means that MAINT will be deleted (maybe the SMAPI will prevent this).

What I want to propose, is there a possibility to make that a Linux geust can be defined by some regular expressions or something like that? The customer where we work now has always the guest start with SLD or SLB, others are not allowed. This means for the API that there needs to be made some checking before making or registering a guest.

With kind regards
Herald ten Dam

Huang Rui (bjhuangr) on 2019-02-26

Changed in python-zvm-sdk:
status:	New → Triaged
importance:	Undecided → High

Revision history for this message

Huang Rui (bjhuangr) wrote on 2019-02-26:

Thanks for your finding.

Huang Rui (bjhuangr) on 2019-02-26

Changed in python-zvm-sdk:
milestone:	none → future

Revision history for this message

jichenjc (jichenjc) wrote on 2019-02-26:

I'd suggest considering a black list, we define this as a configuration item and then
user is eligible to modify it .. MAINT640, MAINT, DIRMAINT , TCPMAINT etc should all be prevented
so a configuration item + (possible a REGEX) is something we need consider

Huang Rui (bjhuangr) on 2019-02-26

Changed in python-zvm-sdk:
assignee:	nobody → Shu Juan Zhang (zshujuan)

Revision history for this message

Herald ten Dam (damsteen) wrote on 2019-02-27:

My collegue also mentioned a black list, but be aware this can mean at least a list of about 100 userid beforehand (z/VM has a lot of system users), so maybe a mix of include/exclude can make the configuration items smaller.

Herald

Revision history for this message

Shu Juan Zhang (zshujuan) wrote on 2019-03-01:

Herald,

This bug was assigned to me. I'm curious do we have to use a black/white list? Are there any properties of one user id that mark it as a system user, such as its user directory? Then we can decide if the user id is a system user by querying its property.

I'm newbie to z/VM, forgive me if it's not practical.

Daisy

Revision history for this message

Herald ten Dam (damsteen) wrote on 2019-03-01:

Hi Daisy,

there is no such as a label or comment or even property in the user directory which tells us if an user is a system user or something special.

Some options although for some pre-checking:
1. Normally Linux Servers haven only class G, so users with more than this class are meaning something special, Maint for example has ABCDEFG
2. The use of include set by user_profile is an indication for a Linux Server made by CC. But is also not waterproof because it is an optional parameter.

So you see, nothing is waterproof from the perspective of the user directory. So I think a black/white list is for now the best option.

And being a newbie is not a problem, I work just 1 year with z/VM and still a lot to learn ;-)

Herald

Revision history for this message

Shu Juan Zhang (zshujuan) wrote on 2019-03-04:

Herald,

Thanks for your detailed explanation. I also consulted internal z/VM experts, they gave me the same advice. Then in this case, a blacklist that contains a list of system users, and also allows customers to configure, is the best option. I will fix in this way. Thanks.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.