From 6b298a1d5dfe11a2db77336459d075821c9ace1d Mon Sep 17 00:00:00 2001
From: Suresh Kumar Anaparti <sureshkumar.anaparti@gmail.com>
Date: Fri, 24 Jan 2025 13:35:47 +0530
Subject: [PATCH 1/5] Updated setup-sysvm-tmplt script without sudo - The cmds
 in this script are allowed for normal (cloudstack service) user when destdir
 is created without sudo

---
 scripts/storage/secondary/setup-sysvm-tmplt | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/scripts/storage/secondary/setup-sysvm-tmplt b/scripts/storage/secondary/setup-sysvm-tmplt
index 8b6566218919..0275ba6260b3 100755
--- a/scripts/storage/secondary/setup-sysvm-tmplt
+++ b/scripts/storage/secondary/setup-sysvm-tmplt
@@ -90,7 +90,7 @@ fi
 localfile=$uuid.$ext
 
 
-sudo mkdir -p $destdir
+mkdir -p $destdir
 if [[ $? -ne 0 ]]; then
   failed 2 "Failed to write to destdir $destdir -- is it mounted?\n"
 fi
@@ -108,7 +108,7 @@ tmpfolder=/tmp/cloud/templates/
 mkdir -p $tmpfolder
 tmplfile=$tmpfolder/$localfile
 
-sudo touch $tmplfile
+touch $tmplfile
 if [[ $? -ne 0 ]]; then
   failed 2 "Failed to create temporary file in directory $tmpfolder -- is it read-only or full?\n"
 fi
@@ -121,7 +121,7 @@ localcap=$(df -P $tmpfolder | awk '{print $4}' | tail -1 )
 
 
 if [[ "$fflag" == "1" ]]; then
-  sudo cp $tmpltimg $tmplfile
+  cp $tmpltimg $tmplfile
   if [[ $? -ne 0 ]]; then
     failed 2 "Failed to create temporary file in directory $tmpfolder -- is it read-only or full?\n"
   fi
@@ -138,7 +138,7 @@ tmpdestdir=$tmpfolder
 if [ "$ext" == "ova" ]
 then
   tar xvf $tmpdestdir/$localfile -C $tmpdestdir &> /dev/null
-  sudo cp $tmpdestdir/*.vmdk $tmpdestdir/*.mf $tmpdestdir/*.ovf $destdir/
+  cp $tmpdestdir/*.vmdk $tmpdestdir/*.mf $tmpdestdir/*.ovf $destdir/
   rm -rf $tmpdestdir/*.vmdk $tmpdestdir/*.mf $tmpdestdir/*.ovf $tmpdestdir/*.ova
 else
   rm -rf $tmpdestdir/*.tmp
@@ -154,7 +154,7 @@ else
 fi
 
 templateId=${destdir##*/}
-sudo touch $destdir/template.properties
+touch $destdir/template.properties
 echo "$ext=true" >> $tmpdestdir/template.properties
 echo "id=$templateId" >> $tmpdestdir/template.properties
 echo "public=true" >> $tmpdestdir/template.properties
@@ -164,7 +164,7 @@ echo "$ext.virtualsize=$vrtmpltsize" >> $tmpdestdir/template.properties
 echo "virtualsize=$vrtmpltsize" >> $tmpdestdir/template.properties
 echo "$ext.size=$tmpltsize" >> $tmpdestdir/template.properties
 
-sudo cp $tmpdestdir/template.properties $destdir/template.properties
+cp $tmpdestdir/template.properties $destdir/template.properties
 if [ -f "$tmpdestdir/template.properties" ]
 then
     rm -rf $tmpdestdir/template.properties

From 0a4e462eaee34135f354b74dc9a1c0ef4cb8b69a Mon Sep 17 00:00:00 2001
From: Suresh Kumar Anaparti <sureshkumar.anaparti@gmail.com>
Date: Mon, 3 Feb 2025 14:11:14 +0530
Subject: [PATCH 2/5] mount/unmount secondary storage without sudo during
 system vm template registration

---
 .../java/com/cloud/upgrade/SystemVmTemplateRegistration.java  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/engine/schema/src/main/java/com/cloud/upgrade/SystemVmTemplateRegistration.java b/engine/schema/src/main/java/com/cloud/upgrade/SystemVmTemplateRegistration.java
index 40a8cb4b11f4..b81597db50c0 100644
--- a/engine/schema/src/main/java/com/cloud/upgrade/SystemVmTemplateRegistration.java
+++ b/engine/schema/src/main/java/com/cloud/upgrade/SystemVmTemplateRegistration.java
@@ -86,7 +86,7 @@
 
 public class SystemVmTemplateRegistration {
     private static final Logger LOGGER = Logger.getLogger(SystemVmTemplateRegistration.class);
-    private static final String UMOUNT_COMMAND = "sudo umount %s";
+    private static final String UMOUNT_COMMAND = "umount %s";
     private static final String RELATIVE_TEMPLATE_PATH = "./engine/schema/dist/systemvm-templates/";
     private static final String ABSOLUTE_TEMPLATE_PATH = "/usr/share/cloudstack-management/templates/systemvm/";
     private static final String TEMPLATES_PATH = fetchTemplatesPath();
@@ -147,7 +147,7 @@ public SystemVmTemplateRegistration(String systemVmTemplateVersion) {
     }
 
     public static String getMountCommand(String nfsVersion, String device, String dir) {
-        String cmd = "sudo mount -t nfs";
+        String cmd = "mount -t nfs";
         if (StringUtils.isNotBlank(nfsVersion)) {
             cmd = String.format("%s -o vers=%s", cmd, nfsVersion);
         }

From d41ca3ceef36cab6e71606ff8bf57b0db825473b Mon Sep 17 00:00:00 2001
From: Suresh Kumar Anaparti <suresh.anaparti@shapeblue.com>
Date: Wed, 5 Feb 2025 11:02:32 +0530
Subject: [PATCH 3/5] Revert "mount/unmount secondary storage without sudo
 during system vm template registration"

This reverts commit 0a4e462eaee34135f354b74dc9a1c0ef4cb8b69a.
---
 .../java/com/cloud/upgrade/SystemVmTemplateRegistration.java  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/engine/schema/src/main/java/com/cloud/upgrade/SystemVmTemplateRegistration.java b/engine/schema/src/main/java/com/cloud/upgrade/SystemVmTemplateRegistration.java
index b81597db50c0..40a8cb4b11f4 100644
--- a/engine/schema/src/main/java/com/cloud/upgrade/SystemVmTemplateRegistration.java
+++ b/engine/schema/src/main/java/com/cloud/upgrade/SystemVmTemplateRegistration.java
@@ -86,7 +86,7 @@
 
 public class SystemVmTemplateRegistration {
     private static final Logger LOGGER = Logger.getLogger(SystemVmTemplateRegistration.class);
-    private static final String UMOUNT_COMMAND = "umount %s";
+    private static final String UMOUNT_COMMAND = "sudo umount %s";
     private static final String RELATIVE_TEMPLATE_PATH = "./engine/schema/dist/systemvm-templates/";
     private static final String ABSOLUTE_TEMPLATE_PATH = "/usr/share/cloudstack-management/templates/systemvm/";
     private static final String TEMPLATES_PATH = fetchTemplatesPath();
@@ -147,7 +147,7 @@ public SystemVmTemplateRegistration(String systemVmTemplateVersion) {
     }
 
     public static String getMountCommand(String nfsVersion, String device, String dir) {
-        String cmd = "mount -t nfs";
+        String cmd = "sudo mount -t nfs";
         if (StringUtils.isNotBlank(nfsVersion)) {
             cmd = String.format("%s -o vers=%s", cmd, nfsVersion);
         }

From 9d2c841c0243634e1ce749c393db0ddbb8ca9a04 Mon Sep 17 00:00:00 2001
From: Suresh Kumar Anaparti <suresh.anaparti@shapeblue.com>
Date: Wed, 5 Feb 2025 11:02:46 +0530
Subject: [PATCH 4/5] Revert "Updated setup-sysvm-tmplt script without sudo"

This reverts commit 6b298a1d5dfe11a2db77336459d075821c9ace1d.
---
 scripts/storage/secondary/setup-sysvm-tmplt | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/scripts/storage/secondary/setup-sysvm-tmplt b/scripts/storage/secondary/setup-sysvm-tmplt
index 0275ba6260b3..8b6566218919 100755
--- a/scripts/storage/secondary/setup-sysvm-tmplt
+++ b/scripts/storage/secondary/setup-sysvm-tmplt
@@ -90,7 +90,7 @@ fi
 localfile=$uuid.$ext
 
 
-mkdir -p $destdir
+sudo mkdir -p $destdir
 if [[ $? -ne 0 ]]; then
   failed 2 "Failed to write to destdir $destdir -- is it mounted?\n"
 fi
@@ -108,7 +108,7 @@ tmpfolder=/tmp/cloud/templates/
 mkdir -p $tmpfolder
 tmplfile=$tmpfolder/$localfile
 
-touch $tmplfile
+sudo touch $tmplfile
 if [[ $? -ne 0 ]]; then
   failed 2 "Failed to create temporary file in directory $tmpfolder -- is it read-only or full?\n"
 fi
@@ -121,7 +121,7 @@ localcap=$(df -P $tmpfolder | awk '{print $4}' | tail -1 )
 
 
 if [[ "$fflag" == "1" ]]; then
-  cp $tmpltimg $tmplfile
+  sudo cp $tmpltimg $tmplfile
   if [[ $? -ne 0 ]]; then
     failed 2 "Failed to create temporary file in directory $tmpfolder -- is it read-only or full?\n"
   fi
@@ -138,7 +138,7 @@ tmpdestdir=$tmpfolder
 if [ "$ext" == "ova" ]
 then
   tar xvf $tmpdestdir/$localfile -C $tmpdestdir &> /dev/null
-  cp $tmpdestdir/*.vmdk $tmpdestdir/*.mf $tmpdestdir/*.ovf $destdir/
+  sudo cp $tmpdestdir/*.vmdk $tmpdestdir/*.mf $tmpdestdir/*.ovf $destdir/
   rm -rf $tmpdestdir/*.vmdk $tmpdestdir/*.mf $tmpdestdir/*.ovf $tmpdestdir/*.ova
 else
   rm -rf $tmpdestdir/*.tmp
@@ -154,7 +154,7 @@ else
 fi
 
 templateId=${destdir##*/}
-touch $destdir/template.properties
+sudo touch $destdir/template.properties
 echo "$ext=true" >> $tmpdestdir/template.properties
 echo "id=$templateId" >> $tmpdestdir/template.properties
 echo "public=true" >> $tmpdestdir/template.properties
@@ -164,7 +164,7 @@ echo "$ext.virtualsize=$vrtmpltsize" >> $tmpdestdir/template.properties
 echo "virtualsize=$vrtmpltsize" >> $tmpdestdir/template.properties
 echo "$ext.size=$tmpltsize" >> $tmpdestdir/template.properties
 
-cp $tmpdestdir/template.properties $destdir/template.properties
+sudo cp $tmpdestdir/template.properties $destdir/template.properties
 if [ -f "$tmpdestdir/template.properties" ]
 then
     rm -rf $tmpdestdir/template.properties

From 1c03f91f6df933b3f255519ad0f6f82c9692c3bf Mon Sep 17 00:00:00 2001
From: Suresh Kumar Anaparti <sureshkumar.anaparti@gmail.com>
Date: Thu, 20 Mar 2025 12:57:42 +0530
Subject: [PATCH 5/5] updated setup-sysvm-tmplt to use sudo for cmds accessing
 destdir, and sudoer cmds

---
 scripts/storage/secondary/setup-sysvm-tmplt | 10 +++++-----
 server/conf/cloudstack-sudoers.in           |  2 +-
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/scripts/storage/secondary/setup-sysvm-tmplt b/scripts/storage/secondary/setup-sysvm-tmplt
index 8b6566218919..06f0586fe342 100755
--- a/scripts/storage/secondary/setup-sysvm-tmplt
+++ b/scripts/storage/secondary/setup-sysvm-tmplt
@@ -99,7 +99,7 @@ if [[ -f $destdir/template.properties ]]; then
   failed 2 "Data already exists at destination $destdir"
 fi
 
-destfiles=$(find $destdir -name \*.$ext)
+destfiles=$(sudo find $destdir -name \*.$ext)
 if [[ "$destfiles" != "" ]]; then
   failed 2 "Data already exists at destination $destdir"
 fi
@@ -108,12 +108,12 @@ tmpfolder=/tmp/cloud/templates/
 mkdir -p $tmpfolder
 tmplfile=$tmpfolder/$localfile
 
-sudo touch $tmplfile
+touch $tmplfile
 if [[ $? -ne 0 ]]; then
   failed 2 "Failed to create temporary file in directory $tmpfolder -- is it read-only or full?\n"
 fi
 
-destcap=$(df -P $destdir | awk '{print $4}' | tail -1 )
+destcap=$(sudo df -P $destdir | awk '{print $4}' | tail -1 )
 [ $destcap -lt $DISKSPACE ] && echo "Insufficient free disk space for target folder $destdir: avail=${destcap}k req=${DISKSPACE}k" && failed 4
 
 localcap=$(df -P $tmpfolder | awk '{print $4}' | tail -1 )
@@ -146,9 +146,9 @@ fi
 
 
 tmpltfile=$destdir/$localfile
-tmpltsize=$(ls -l $tmpltfile | awk -F" " '{print $5}')
+tmpltsize=$(sudo ls -l $tmpltfile | awk -F" " '{print $5}')
 if [[ "$ext" == "qcow2" ]]; then
-  vrtmpltsize=$($qemuimgcmd info $tmpltfile | grep -i 'virtual size' | sed -ne 's/.*(\([0-9]*\).*/\1/p' | xargs)
+  vrtmpltsize=$(sudo $qemuimgcmd info $tmpltfile | grep -i 'virtual size' | sed -ne 's/.*(\([0-9]*\).*/\1/p' | xargs)
 else
   vrtmpltsize=$tmpltsize
 fi
diff --git a/server/conf/cloudstack-sudoers.in b/server/conf/cloudstack-sudoers.in
index 5c879f3303f9..710241022f5b 100644
--- a/server/conf/cloudstack-sudoers.in
+++ b/server/conf/cloudstack-sudoers.in
@@ -18,7 +18,7 @@
 # The CloudStack management server needs sudo permissions
 # without a password.
 
-Cmnd_Alias CLOUDSTACK = /bin/mkdir, /bin/mount, /bin/umount, /bin/cp, /bin/chmod, /usr/bin/keytool, /bin/keytool, /bin/touch
+Cmnd_Alias CLOUDSTACK = /bin/mkdir, /bin/mount, /bin/umount, /bin/cp, /bin/chmod, /usr/bin/keytool, /bin/keytool, /bin/touch, /bin/find, /bin/df, /bin/ls, /bin/qemu-img
 
 Defaults:@MSUSER@ !requiretty