<div dir="ltr"><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">Hey Sam,</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small"><br></div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">Yes. world readable is bad. But writable for current running service is also bad.</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small"><br></div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">But in nova.conf, the rootwrap_config is configurable. It can be changed to a custom file to gain root permission.<br></div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small"><br></div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small"># nova.conf</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">rootwrap_config = /tmp/rootrwap.conf<br></div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small"><br></div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small"># /tmp/rootwrap.conf</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">[DEFAULT]</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">filters_path = /tmp/rootwrap.conf.d/ </div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small"><br></div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">so, for the file should be</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small"><br></div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small">0640 root:nova nova.conf</div><div class="gmail_default" style="font-family:monospace,monospace;font-size:small"><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Sep 26, 2016 at 10:43 PM, Sam Yaple <span dir="ltr"><<a href="mailto:samuel@yaple.net" target="_blank">samuel@yaple.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><span class="">On Mon, Sep 26, 2016 at 1:18 PM, Jeffrey Zhang <span dir="ltr"><<a href="mailto:zhang.lei.fly@gmail.com" target="_blank">zhang.lei.fly@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div style="font-family:monospace,monospace;font-size:small"><span style="font-family:arial,sans-serif;font-size:12.8px">Using the same user for running service and the configuration files is</span><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px"> a danger. i.e. the service running user shouldn't change the</span><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">configuration files.</span><br style="font-family:arial,sans-serif;font-size:12.8px"><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">a simple attack like:</span><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">* a hacker hacked into nova-api container with nova user</span><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">* he can change the /etc/nova/rootwrap.conf file and</span><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">/etc/nova/rootwrap.d file, which he can get much greater authority</span><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">with sudo</span><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">* he also can change the /etc/nova/nova.conf file to use another</span><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">privsep_command.helper_command to get greater authority</span><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">    [privsep_entrypoint]</span><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">    helper_command=sudo nova-rootwrap /etc/nova/rootwrap.conf</span><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">privsep-helper --config-file /etc/nova/nova.conf</span><br style="font-family:arial,sans-serif;font-size:12.8px"><br style="font-family:arial,sans-serif;font-size:12.8px"></div></div></blockquote></span><div>This is not true. The helper command required /etc/sudoers.d/* configuration files to work. So just because it was changed to something else, doesn't mean an attacker could actually do anything to adjust that, considering /etc/nova/rootwrap* is already owned by root. This was fixed early on in the Kolla lifecycle, pre-liberty.</div><div><br></div><div>Feel free to adjust /etc/nova/nova.conf to root:root, but you won't be gaining any security advantage in doing so, you will be making it worse (see below). I don't know of a need for it to be owned by the service user, other than that is how all openstack things are packaged and those are the permissions in the repo and other deploy tools.</div><span class=""><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div style="font-family:monospace,monospace;font-size:small"><span style="font-family:arial,sans-serif;font-size:12.8px">So right rule should be: do not let the service running user have</span><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">write permission to configuration files,</span><br style="font-family:arial,sans-serif;font-size:12.8px"><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">about for the nova.conf file, i think root:root with 644 permission</span><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">is enough</span><br style="font-family:arial,sans-serif;font-size:12.8px"><span style="font-family:arial,sans-serif;font-size:12.8px">for the directory file, root:root with 755 is</span><span style="font-family:arial,sans-serif;font-size:12.8px"> enough.</span></div></div></blockquote><div><br></div></span><div>So this actually makes it _less_ secure. The 0600 permissions were chosen for a reason.  The nova.conf file has passwords to the DB and rabbitmq. If the configuration files are world readable then those passwords could leak to an unprivileged user on the host.</div><span class=""><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div style="font-family:monospace,monospace;font-size:small"><div style="margin:2px 0px 0px;font-family:arial,sans-serif;font-size:12.8px"></div></div><div style="font-family:monospace,monospace;font-size:small"><span style="font-family:arial,sans-serif;font-size:12.8px"><br></span></div><div style="font-family:monospace,monospace;font-size:small"><span style="font-family:arial,sans-serif;font-size:12.8px">A related BP[0] and PS[1] is created</span></div><div style="font-family:monospace,monospace;font-size:small"><span style="font-family:arial,sans-serif;font-size:12.8px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:12.8px">[0] </span><span style="font-size:12.8px"><a href="https://blueprints.launchpad.net/kolla/+spec/config-readonly" target="_blank">https://blueprints.launchp<wbr>ad.net/kolla/+spec/config-<wbr>readonly</a></span></div><div><span style="font-size:12.8px">[1] <a href="https://review.openstack.org/376465" target="_blank">https://review.openstack.o<wbr>rg/376465</a></span></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Sep 24, 2016 at 11:08 PM, 1392607554 <span dir="ltr"><<a href="mailto:1392607554@qq.com" target="_blank">1392607554@qq.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">configuration file owner and permission in container<span><font color="#888888"><div><br></div><div>--</div><div>Regrad,</div><div>zhubingbing</div><br>______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.op<wbr>enstack.org?subject:unsubscrib<wbr>e</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi<wbr>-bin/mailman/listinfo/openstac<wbr>k-dev</a><br>
<br></font></span></blockquote></div><span><font color="#888888"><br><br clear="all"><div><br></div>-- <br><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div><span style="font-size:13px;border-collapse:collapse"><font face="monospace, monospace">Regards,</font></span></div><div><span style="font-size:13px;border-collapse:collapse"><font face="monospace, monospace">Jeffrey Zhang</font></span></div><div><span style="font-family:monospace,monospace;font-size:12.8px">Blog: </span><a href="http://xcodest.me/" style="font-family:monospace,monospace;font-size:12.8px" target="_blank">http://xcodest.me</a><font face="monospace, monospace"><br></font></div></div></div></div></div></div></div></div></div>
</font></span></div></div>
<br>______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.op<wbr>enstack.org?subject:unsubscrib<wbr>e</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi<wbr>-bin/mailman/listinfo/openstac<wbr>k-dev</a><br>
<br></blockquote></span></div><br></div></div>
<br>______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.<wbr>openstack.org?subject:<wbr>unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div><span style="font-size:13px;border-collapse:collapse"><font face="monospace, monospace">Regards,</font></span></div><div><span style="font-size:13px;border-collapse:collapse"><font face="monospace, monospace">Jeffrey Zhang</font></span></div><div><span style="font-family:monospace,monospace;font-size:12.8px">Blog: </span><a href="http://xcodest.me/" style="font-family:monospace,monospace;font-size:12.8px" target="_blank">http://xcodest.me</a><font face="monospace, monospace"><br></font></div></div></div></div></div></div></div></div></div>
</div>