[Openstack-security] [Bug 1427228] Re: Allow to run neutron-ns-metadata-proxy as nobody

OpenStack Infra 1427228 at bugs.launchpad.net
Mon Apr 6 21:12:41 UTC 2015 

Reviewed:  https://review.openstack.org/165115
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=80bea7a38670620934faafd5f583fe6164b9f9b3
Submitter: Jenkins
Branch:    master

commit 80bea7a38670620934faafd5f583fe6164b9f9b3
Author: Cedric Brandily <zzelle at gmail.com>
Date:   Tue Mar 17 15:20:07 2015 +0000

    Allow metadata proxy running with nobody user/group
    
    Currently metadata proxy cannot run with nobody user/group as metadata
    proxy requires to connect to metadata_proxy_socket when queried.
    
    This change allows to run metadata proxy with nobody user/group by
    allowing to choose the metadata_proxy_socket mode with the new option
    metadata_proxy_socket_mode (4 choices) in order to adapt socket
    permissions to metadata proxy user/group.
    
    This change refactors also where options are defined to enable
    metadata_proxy_user/group options in the metadata agent.
    
    In practice:
    * if metadata_proxy_user is agent effective user or root, then:
      * metadata proxy is allowed to use rootwrap (unsecure)
      * set metadata_proxy_socket_mode = user (0o644)
    * else if metadata_proxy_group is agent effective group, then:
      * metadata proxy is not allowed to use rootwrap (secure)
      * set metadata_proxy_socket_mode = group (0o664)
      * set metadata_proxy_log_watch = false
    * else:
      * metadata proxy has lowest permissions (securest) but metadata proxy
        socket can be opened by everyone
      * set metadata_proxy_socket_mode = all (0o666)
      * set metadata_proxy_log_watch = false
    
    An alternative is to set metadata_proxy_socket_mode = deduce, in such
    case metadata agent uses previous rules to choose the correct mode.
    
    DocImpact
    Closes-Bug: #1427228
    Change-Id: I235a0cc4f0cbd55ae4ec1570daf2ebbb6a72441d


** Changed in: neutron
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1427228

Title:
  Allow to run neutron-ns-metadata-proxy as nobody

Status in OpenStack Neutron (virtual network service):
  Fix Committed

Bug description:
  Currently neutron-ns-metadata-proxy runs with neutron user/group
  permissions on l3-agent but we should allow to run it with less
  permissions as neutron user is allowed to run neutron-rootwrap. We
  should restrict as much as possible neutron-ns-metadata-proxy
  permissions as it's reachable from VMs.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1427228/+subscriptions

More information about the Openstack-security mailing list