[Openstack-security] [Bug 1187107] Fix merged to neutron (master)
OpenStack Infra
1187107 at bugs.launchpad.net
Mon Jan 5 21:27:56 UTC 2015
Reviewed: https://review.openstack.org/136840
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=b78c5e54abd10fc71a46788110f9f36e6496414e
Submitter: Jenkins
Branch: master
commit b78c5e54abd10fc71a46788110f9f36e6496414e
Author: Cedric Brandily <zzelle at gmail.com>
Date: Mon Nov 24 15:53:04 2014 +0000
Do not run neutron-ns-metadata-proxy as root on L3 agent
Currently neutron-ns-metadata-proxy runs with root permissions when
namespaces are enabled on the l3 agent because root permissions are
required to "enter" in the namespace. But neutron-ns-metadata-proxy
permissions should be reduced as much as possible because it is
reachable from vms.
This change allows to change neutron-ns-metadata-proxy permissions
after its startup through the 2 new options metadata_proxy_user and
metadata_proxy_group which allow to define user/group running metadata
proxy after its initialization. Their default values are
neutron-l3-agent effective user and group.
Permissions drop is done after metadata proxy daemon writes its
pid in its pidfile (it could be disallowed after permissions drop).
Using nobody as metadata_proxy_user/group (more secure) is currently
not supported because:
* nobody has not the permission to connect the metadata socket,
* nobody has not the permission to log to file because neutron uses
WatchedFileHandler (which requires read/write permissions after
permissions drop).
This limitation will be addressed in a daughter change.
DocImpact
Partial-Bug: #1187107
Change-Id: I55c8c3fb14ed91ae8570f98f19c2cdbaf89d42fc
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1187107
Title:
quantum-ns-metadata-proxy runs as root
Status in OpenStack Neutron (virtual network service):
In Progress
Bug description:
# ps -ef | grep quantum-ns-metadata-proxy
root 10239 1 0 19:01 ? 00:00:00 python /usr/bin/quantum-ns-metadata-proxy --pid_file=/var/lib/quantum/external/pids/7a44de32-3ac0-4f3e-92cc-1a37d8211db8.pid --router_id=7a44de32-3ac0-4f3e-92cc-1a37d8211db8 --state_path=/var/lib/quantum --debug --log-file=quantum-ns-metadata-proxy7a44de32-3ac0-4f3e-92cc-1a37d8211db8.log --log-dir=/var/log/quantum
Root is needed to open the namespace, but the quantum-ns-metadata-proxy does not need root - it listens on 9697 by default not 80.
I tried changing /etc/quantum/rootwrap.d/l3.filters for it to run as
quantum instead:
metadata_proxy: CommandFilter, /usr/bin/quantum-ns-metadata-proxy,
quantum
but it still runs as root.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1187107/+subscriptions
More information about the Openstack-security
mailing list