Public bug reported: We have a use case where we want to offer users cloudable services (AWS, Openstack), but *without* the possiblity of getting root access. We can lock down an instance of course, by denying root logins and removing the instance user from sudo, or restricting the rules.
But we'd like to still allow user-controlled user-data. The idea is that a user might boot a machine with user-data that say, wget's a .war into the tomcat directory, or changes a configuration file that isn't system- wide. Or even bootstraps their $HOME/.bashrc, etc. files. Right now, the user-data option is going to run everything as root, meaning they must specifically fixup ownership and permissions, not the mention that they could do really whatever they want. My proposal would therefore be some sort of option, like user-data- account: www. If not specified, it defaults to root. ** Affects: cloud-init Importance: Undecided Status: New ** Tags: user-data -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to cloud-init. https://bugs.launchpad.net/bugs/1373491 Title: feature request: option to run user-data as non-root Status in Init scripts for use on cloud images: New Bug description: We have a use case where we want to offer users cloudable services (AWS, Openstack), but *without* the possiblity of getting root access. We can lock down an instance of course, by denying root logins and removing the instance user from sudo, or restricting the rules. But we'd like to still allow user-controlled user-data. The idea is that a user might boot a machine with user-data that say, wget's a .war into the tomcat directory, or changes a configuration file that isn't system-wide. Or even bootstraps their $HOME/.bashrc, etc. files. Right now, the user-data option is going to run everything as root, meaning they must specifically fixup ownership and permissions, not the mention that they could do really whatever they want. My proposal would therefore be some sort of option, like user-data- account: www. If not specified, it defaults to root. To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1373491/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp