[openstack-dev] [kolla] Kolla configuration files owner and permission

Jeffrey Zhang zhang.lei.fly at gmail.com
Wed Aug 24 01:22:56 UTC 2016 

Using the same user for running service and the configuration files is
danger. i.e. the service running user shouldn't be change the
configuration files.

a simple attack like:
* a hacker hacked into nova-api container with nova user
* he can change the /etc/nova/rootwrap.conf file and
/etc/nova/rootwrap.d file, which he can get much greater authority
with sudo
* he also can change the /etc/nova/nova.conf file to use another
privsep_command.helper_command to get greater authority
    [privsep_entrypoint]
    helper_command=sudo nova-rootwrap /etc/nova/rootwrap.conf
privsep-helper --config-file /etc/nova/nova.conf

So right rule should be: do not let the service running user have
write permission to configuration files,

about for the nova.conf file, i think root:root with 644 permission
or root:nova with 640 should be enough
for the directory file, root:root with 755 or root:nova with 750
should be enough.

On Tue, Aug 23, 2016 at 11:11 PM, Steven Dake (stdake) <stdake at cisco.com> wrote:
>
>
>
>
>
> On 8/23/16, 7:05 AM, "Gerard Braad" <me at gbraad.nl> wrote:
>
>>On Tue, Aug 23, 2016 at 9:56 PM, lương hữu tuấn <tuantuluong at gmail.com> wrote:
>>> I also prefer a dedicated user ("kolla" seems the best choice) as same > On Tue, Aug 23, 2016 at 3:51 PM, Paul Bourke <paul.bourke at oracle.com> wrote:
>>>> In my experience operators prefer a dedicated user (kolla:kolla), though I
>>
>>kolla:kolla seems more logical and simpler to reason about.
>>
>
> kolla:kolla still works with multi-user approach and permissions 660 on /etc/kolla files.
>
> Regards
> -steve
>
>>
>>--
>>
>>   Gerard Braad | http://gbraad.nl
>>   [ Doing Open Source Matters ]
>>
>>__________________________________________________________________________
>>OpenStack Development Mailing List (not for usage questions)
>>Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



-- 
Regards,
Jeffrey Zhang
Blog: http://xcodest.me

More information about the OpenStack-dev mailing list