<div dir="ltr"><br><div class="gmail_extra"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>On Mon, Sep 26, 2016 at 4:32 PM, Jeffrey Zhang <span dir="ltr"><<a href="mailto:zhang.lei.fly@gmail.com" target="_blank">zhang.lei.fly@gmail.com</a>></span> wrote:<br></div></div></div></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div style="font-family:monospace,monospace;font-size:small">Hey Sam,</div><div style="font-family:monospace,monospace;font-size:small"><br></div><div style="font-family:monospace,monospace;font-size:small">Yes. world readable is bad. But writable for current running service is also bad.</div><div style="font-family:monospace,monospace;font-size:small"><br></div><div style="font-family:monospace,monospace;font-size:small">But in nova.conf, the rootwrap_config is configurable. It can be changed to a custom file to gain root permission.<br></div><div style="font-family:monospace,monospace;font-size:small"><br></div><div style="font-family:monospace,monospace;font-size:small"># nova.conf</div><div style="font-family:monospace,monospace;font-size:small">rootwrap_config = /tmp/rootrwap.conf<br></div><div style="font-family:monospace,monospace;font-size:small"><br></div><div style="font-family:monospace,monospace;font-size:small"># /tmp/rootwrap.conf</div><div style="font-family:monospace,monospace;font-size:small">[DEFAULT]</div><div style="font-family:monospace,monospace;font-size:small">filters_path = /tmp/rootwrap.conf.d/ </div></div></blockquote><div><br></div><div>Sorry Jeffrey, you are mistaken about this. Just because you change the filters_path means nothing. The filters_path is hardcoded in the /etc/sudoers.d/nova file. Sudo will not work with any arbitary path you specify. If you want to make the service config files nova:nova 0400 you can. Though there is no added benefit in doing this in my opinion. It is not a bad precaution I suppose, though it may affect some peoples development cycle with Kolla. I remember I personally changed the config from inside the running docker container once or twice while testing.</div><div><br></div><div>SamYaple</div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div style="font-family:monospace,monospace;font-size:small"><br></div><div style="font-family:monospace,monospace;font-size:small">so, for the file should be</div><div style="font-family:monospace,monospace;font-size:small"><br></div><div style="font-family:monospace,monospace;font-size:small">0640 root:nova nova.conf</div><div style="font-family:monospace,monospace;font-size:small"><br></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Sep 26, 2016 at 10:43 PM, Sam Yaple <span dir="ltr"><<a href="mailto:samuel@yaple.net" target="_blank">samuel@yaple.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><span>On Mon, Sep 26, 2016 at 1:18 PM, Jeffrey Zhang <span dir="ltr"><<a href="mailto:zhang.lei.fly@gmail.com" target="_blank">zhang.lei.fly@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div style="font-family:monospace,monospace;font-size:small"><span style="font-family:arial,sans-serif;font-size:12.8px">Using the same user for running service and the configuration files is</span><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px"> a danger. i.e. the service running user shouldn't change the</span><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">configuration files.</span><br style="font-family:arial,sans-serif;font-size:12.8px"><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">a simple attack like:</span><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">* a hacker hacked into nova-api container with nova user</span><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">* he can change the /etc/nova/rootwrap.conf file and</span><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">/etc/nova/rootwrap.d file, which he can get much greater authority</span><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">with sudo</span><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">* he also can change the /etc/nova/nova.conf file to use another</span><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">privsep_command.helper_command to get greater authority</span><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">    [privsep_entrypoint]</span><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">    helper_command=sudo nova-rootwrap /etc/nova/rootwrap.conf</span><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">privsep-helper --config-file /etc/nova/nova.conf</span><br style="font-family:arial,sans-serif;font-size:12.8px"><br style="font-family:arial,sans-serif;font-size:12.8px"></div></div></blockquote></span><div>This is not true. The helper command required /etc/sudoers.d/* configuration files to work. So just because it was changed to something else, doesn't mean an attacker could actually do anything to adjust that, considering /etc/nova/rootwrap* is already owned by root. This was fixed early on in the Kolla lifecycle, pre-liberty.</div><div><br></div><div>Feel free to adjust /etc/nova/nova.conf to root:root, but you won't be gaining any security advantage in doing so, you will be making it worse (see below). I don't know of a need for it to be owned by the service user, other than that is how all openstack things are packaged and those are the permissions in the repo and other deploy tools.</div><span><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div style="font-family:monospace,monospace;font-size:small"><span style="font-family:arial,sans-serif;font-size:12.8px">So right rule should be: do not let the service running user have</span><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">write permission to configuration files,</span><br style="font-family:arial,sans-serif;font-size:12.8px"><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">about for the nova.conf file, i think root:root with 644 permission</span><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">is enough</span><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">for the directory file, root:root with 755 is</span><span style="font-family:arial,sans-serif;font-size:12.8px"> enough.</span></div></div></blockquote><div><br></div></span><div>So this actually makes it _less_ secure. The 0600 permissions were chosen for a reason.  The nova.conf file has passwords to the DB and rabbitmq. If the configuration files are world readable then those passwords could leak to an unprivileged user on the host.</div><span><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div style="font-family:monospace,monospace;font-size:small"><div style="margin:2px 0px 0px;font-family:arial,sans-serif;font-size:12.8px"></div></div><div style="font-family:monospace,monospace;font-size:small"><span style="font-family:arial,sans-serif;font-size:12.8px"><br></span></div><div style="font-family:monospace,monospace;font-size:small"><span style="font-family:arial,sans-serif;font-size:12.8px">A related BP[0] and PS[1] is created</span></div><div style="font-family:monospace,monospace;font-size:small"><span style="font-family:arial,sans-serif;font-size:12.8px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:12.8px">[0] </span><span style="font-size:12.8px"><a href="https://blueprints.launchpad.net/kolla/+spec/config-readonly" target="_blank">https://blueprints.launchp<wbr>ad.net/kolla/+spec/config-read<wbr>only</a></span></div><div><span style="font-size:12.8px">[1] <a href="https://review.openstack.org/376465" target="_blank">https://review.openstack.o<wbr>rg/376465</a></span></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Sep 24, 2016 at 11:08 PM, 1392607554 <span dir="ltr"><<a href="mailto:1392607554@qq.com" target="_blank">1392607554@qq.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">configuration file owner and permission in container<span><font color="#888888"><div><br></div><div>--</div><div>Regrad,</div><div>zhubingbing</div><br>______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.op<wbr>enstack.org?subject:unsubscrib<wbr>e</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi<wbr>-bin/mailman/listinfo/openstac<wbr>k-dev</a><br>
<br></font></span></blockquote></div><span><font color="#888888"><br><br clear="all"><div><br></div>-- <br><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div><span style="font-size:13px;border-collapse:collapse"><font face="monospace, monospace">Regards,</font></span></div><div><span style="font-size:13px;border-collapse:collapse"><font face="monospace, monospace">Jeffrey Zhang</font></span></div><div><span style="font-family:monospace,monospace;font-size:12.8px">Blog: </span><a href="http://xcodest.me/" style="font-family:monospace,monospace;font-size:12.8px" target="_blank">http://xcodest.me</a><font face="monospace, monospace"><br></font></div></div></div></div></div></div></div></div></div>
</font></span></div></div>
<br>______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.op<wbr>enstack.org?subject:unsubscrib<wbr>e</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi<wbr>-bin/mailman/listinfo/openstac<wbr>k-dev</a><br>
<br></blockquote></span></div><br></div></div>
<br>______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.op<wbr>enstack.org?subject:unsubscrib<wbr>e</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi<wbr>-bin/mailman/listinfo/openstac<wbr>k-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div><span style="font-size:13px;border-collapse:collapse"><font face="monospace, monospace">Regards,</font></span></div><div><span style="font-size:13px;border-collapse:collapse"><font face="monospace, monospace">Jeffrey Zhang</font></span></div><div><span style="font-family:monospace,monospace;font-size:12.8px">Blog: </span><a href="http://xcodest.me/" style="font-family:monospace,monospace;font-size:12.8px" target="_blank">http://xcodest.me</a><font face="monospace, monospace"><br></font></div></div></div></div></div></div></div></div></div>
</div>
</div></div></blockquote></div><br></div></div>