<div dir="ltr"><div class="gmail_default" style="font-family:monospace,monospace;font-size:small"><span style="font-family:arial,sans-serif;font-size:12.8px">Using the same user for running service and the configuration files is</span><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px"> a danger. i.e. the service running user shouldn't change the</span><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">configuration files.</span><br style="font-family:arial,sans-serif;font-size:12.8px"><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">a simple attack like:</span><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">* a hacker hacked into nova-api container with nova user</span><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">* he can change the /etc/nova/rootwrap.conf file and</span><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">/etc/nova/rootwrap.d file, which he can get much greater authority</span><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">with sudo</span><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">* he also can change the /etc/nova/nova.conf file to use another</span><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">privsep_command.helper_command to get greater authority</span><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">    [privsep_entrypoint]</span><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">    helper_command=sudo nova-rootwrap /etc/nova/rootwrap.conf</span><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">privsep-helper --config-file /etc/nova/nova.conf</span><br style="font-family:arial,sans-serif;font-size:12.8px"><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">So right rule should be: do not let the service running user have</span><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">write permission to configuration files,</span><br style="font-family:arial,sans-serif;font-size:12.8px"><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">about for the nova.conf file, i think root:root with 644 permission</span><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">is enough</span><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">for the directory file, root:root with 755 is</span><span style="font-family:arial,sans-serif;font-size:12.8px"> enough.</span><div style="margin:2px 0px 0px;font-family:arial,sans-serif;font-size:12.8px"></div></div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small"><span style="font-family:arial,sans-serif;font-size:12.8px"><br></span></div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small"><span style="font-family:arial,sans-serif;font-size:12.8px">A related BP[0] and PS[1] is created</span></div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small"><span style="font-family:arial,sans-serif;font-size:12.8px"><br></span></div><div class="gmail_default"><span style="font-family:arial,sans-serif;font-size:12.8px">[0] </span><span style="font-size:12.8px"><a href="https://blueprints.launchpad.net/kolla/+spec/config-readonly">https://blueprints.launchpad.net/kolla/+spec/config-readonly</a></span></div><div class="gmail_default"><span style="font-size:12.8px">[1] <a href="https://review.openstack.org/376465">https://review.openstack.org/376465</a></span></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Sep 24, 2016 at 11:08 PM, 1392607554 <span dir="ltr"><<a href="mailto:1392607554@qq.com">1392607554@qq.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">configuration file owner and permission in container<div><br></div><div>--</div><div>Regrad,</div><div>zhubingbing</div><br>______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer">OpenStack-dev-request@lists.op<wbr>enstack.org?subject:unsubscrib<wbr>e</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer">http://lists.openstack.org/cgi<wbr>-bin/mailman/listinfo/openstac<wbr>k-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div><span style="font-size:13px;border-collapse:collapse"><font face="monospace, monospace">Regards,</font></span></div><div><span style="font-size:13px;border-collapse:collapse"><font face="monospace, monospace">Jeffrey Zhang</font></span></div><div><span style="font-family:monospace,monospace;font-size:12.8px">Blog: </span><a href="http://xcodest.me/" style="font-family:monospace,monospace;font-size:12.8px">http://xcodest.me</a><font face="monospace, monospace"><br></font></div></div></div></div></div></div></div></div></div>
</div></div>