So, why do they not disable the shell completely then?

Even PMs can change their mind, so let's try it I will file a feature request through my TAM anyway, but having supporters here in the forum should put additional pressure to it.

Agreed

Umm, no it is not the same at all. With sudo every command run through sudo gets written out to the log, so you as administrator can determine if the host is compromised or not by extracting that info from the logs.

What you are saying is that basically one should destroy every host that has been accessed via the root account... as it is now no longer trusted...

Sure there are valid reasons for accessing the console and NO the APIs do not always solve that, take the simple example that you miss network connectivity. How are you going to solve that "through the API"? You cannot, you might be able to do a reinstall if you have a PXE server setup, but that won't always be the case. With console access you can solve it, but there's no detailed log of the changes / troubleshooting steps made by the user as they have to be root...

I also wonder how you can see "who has logged in" if it is going to be root anyways? Direct console access? What will it log? Every user logging in remotely will be lifted to root levels? Automatic sudo? Ewww...

thanks for your reply

--

Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva

Thank you for your response!

I like the idea of every user user logging in automatically having root permissions (without the need for sudo). This more resembles the Windows model where you are either an admin or not. It doesn't offer the granularity of control that you have with sudo, but on the other hand you also do not have the effort of configuring this granularity through /etc/sudoers.

However, wila is making a good point about logging: That is important, so having every console command sent to syslog (including time stamp and the original user id issuing it) is a necessity.

According to your question: I'm not really concerned about the API missing a functionality that you have with console access only. We need the console access in situations where API access is not available remotely (because the management network is down), or not at all, because hostd is malfunctioning or has crashed, or when the host as a whole becomes unresponsive, e.g. because of hardware related issues or special heap memory pool exhaustions.

I am aware that hostd (and ESXi as a whole) has a very high overall code quality, but every software has bugs, and I experienced quite a few issues in the past that made it necessary to access the console, because you could not use the API.

- Andreas

With sudo every command run through sudo gets written out to the log, so you as administrator can determine if the host is compromised or not by extracting that info from the logs.

This assumes that you forsee the set of binaries you want used via sudo and limit them such that you are 100% sure that none can be used to escalate your privileges further and then subvert the audit logs; e.g. you give someone sudo access to vi -- of course useful to edit config files -- but they can then use '!' to run aribtrary shell commands (actually, I don't think ESXi vi does let you do that, but you get the point).

A restricted environment is not the idea of our trobleshooting shell -- it is, by design, full and complete access to the system for unforseen circumstances. 

What you are saying is that basically one should destroy every host that has been accessed via the root account... as it is now no longer trusted...

I would not go that far; we have login and shell audit logs (/var/log/shell.log, /var/log/auth.log) that help establish what has gone on.  If you are sending logs across the network to a secure host, you at the very least have the login and the first thing that was run that can not be subverted.  You would have to evaluate what has been run from that point to see if you trust the logs.

Sure there are valid reasons for accessing the console and NO the APIs do not always solve that, take the simple example that you miss network connectivity.

The managment interface should be recoverable via the DCUI interface; which is a secure subset of configuration options (you can not run arbitrary things from it).  Again, we're always looking to make things better, so suggets for what doesn't work here are always appreciated.

I also wonder how you can see "who has logged in" if it is going to be root anyways? Direct console access? What will it log? Every user logging in remotely will be lifted to root levels? Automatic sudo? Ewww...

Users authenticate as usual, a record of which gets sent to the audit logs.  Once authenticated, all shell users are considered as uid 0.  The logs in /var/log/shell.log retain the username of the person executing them.

+1 from me to!

YES we need it  !!!!!