[Openstack-security] [Bug 1427228] Re: Allow to run neutron-ns-metadata-proxy as nobody
OpenStack Infra
1427228 at bugs.launchpad.net
Mon Apr 6 21:12:41 UTC 2015
Reviewed: https://review.openstack.org/165115
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=80bea7a38670620934faafd5f583fe6164b9f9b3
Submitter: Jenkins
Branch: master
commit 80bea7a38670620934faafd5f583fe6164b9f9b3
Author: Cedric Brandily <zzelle at gmail.com>
Date: Tue Mar 17 15:20:07 2015 +0000
Allow metadata proxy running with nobody user/group
Currently metadata proxy cannot run with nobody user/group as metadata
proxy requires to connect to metadata_proxy_socket when queried.
This change allows to run metadata proxy with nobody user/group by
allowing to choose the metadata_proxy_socket mode with the new option
metadata_proxy_socket_mode (4 choices) in order to adapt socket
permissions to metadata proxy user/group.
This change refactors also where options are defined to enable
metadata_proxy_user/group options in the metadata agent.
In practice:
* if metadata_proxy_user is agent effective user or root, then:
* metadata proxy is allowed to use rootwrap (unsecure)
* set metadata_proxy_socket_mode = user (0o644)
* else if metadata_proxy_group is agent effective group, then:
* metadata proxy is not allowed to use rootwrap (secure)
* set metadata_proxy_socket_mode = group (0o664)
* set metadata_proxy_log_watch = false
* else:
* metadata proxy has lowest permissions (securest) but metadata proxy
socket can be opened by everyone
* set metadata_proxy_socket_mode = all (0o666)
* set metadata_proxy_log_watch = false
An alternative is to set metadata_proxy_socket_mode = deduce, in such
case metadata agent uses previous rules to choose the correct mode.
DocImpact
Closes-Bug: #1427228
Change-Id: I235a0cc4f0cbd55ae4ec1570daf2ebbb6a72441d
** Changed in: neutron
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1427228
Title:
Allow to run neutron-ns-metadata-proxy as nobody
Status in OpenStack Neutron (virtual network service):
Fix Committed
Bug description:
Currently neutron-ns-metadata-proxy runs with neutron user/group
permissions on l3-agent but we should allow to run it with less
permissions as neutron user is allowed to run neutron-rootwrap. We
should restrict as much as possible neutron-ns-metadata-proxy
permissions as it's reachable from VMs.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1427228/+subscriptions
More information about the Openstack-security
mailing list