[Openstack-security] [Bug 1187107] Re: quantum-ns-metadata-proxy runs as root

Li Ma skywalker.nick at gmail.com
Sun Feb 23 13:20:18 UTC 2014 

It seems that the command is classified as ip-netns filter which will
run under root permission. That's why the metadata-proxy command filter
doesn't take effect.

Actually it's not a 'wrong' behavior.

neutron-rootwrap: (root > root) Executing ['/sbin/ip', 'netns', 'exec',
'qrouter-445757d8-ade8-4c2f-9b44-029942e9fd26', 'neutron-ns-metadata-
proxy', '--pid_file=/var/lib/neutron/external/pids/445757d8-ade8-4c2f-
9b44-029942e9fd26.pid', '--
metadata_proxy_socket=/var/lib/neutron/metadata_proxy', '--
router_id=445757d8-ade8-4c2f-9b44-029942e9fd26', '--
state_path=/var/lib/neutron', '--metadata_port=9697', '--log-file
=neutron-ns-metadata-proxy-445757d8-ade8-4c2f-9b44-029942e9fd26.log',
'--log-dir=/var/log/neutron'] (filter match = ip_exec)

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1187107

Title:
  quantum-ns-metadata-proxy runs as root

Status in OpenStack Neutron (virtual network service):
  Triaged

Bug description:
  # ps -ef | grep quantum-ns-metadata-proxy
  root     10239     1  0 19:01 ?        00:00:00 python /usr/bin/quantum-ns-metadata-proxy --pid_file=/var/lib/quantum/external/pids/7a44de32-3ac0-4f3e-92cc-1a37d8211db8.pid --router_id=7a44de32-3ac0-4f3e-92cc-1a37d8211db8 --state_path=/var/lib/quantum --debug --log-file=quantum-ns-metadata-proxy7a44de32-3ac0-4f3e-92cc-1a37d8211db8.log --log-dir=/var/log/quantum

  
  Root is needed to open the namespace, but the quantum-ns-metadata-proxy does not need root - it listens on 9697 by default not 80.

  I tried changing /etc/quantum/rootwrap.d/l3.filters for it to run as
  quantum instead:

  metadata_proxy: CommandFilter, /usr/bin/quantum-ns-metadata-proxy,
  quantum

  but it still runs as root.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1187107/+subscriptions

More information about the Openstack-security mailing list