Open Stack

Hi Jeffrey,

You are right with the rootwrap file since it is the root wrapper of the
specific service, e.g. nova. Then we should permit it as root:root and only
the owner can write.

However, with config file as nova.conf or in this case e.g. kolla.conf, it
should be kolla:kolla and only owner can write as well, it means 644 since
the kolla service is run under the name of kolla user, it is the same with
other services in OpenStack.

With the folder, e.g. /etc/kolla or /etc/nova, it should be also
read/write/executable with kolla user and kolla group since kolla service
running with kolla user should have permission to get information from
kolla.conf.

Br,

Tuan

On Wed, Aug 24, 2016 at 3:22 AM, Jeffrey Zhang <zhang.lei.fly at gmail.com>
wrote:

> Using the same user for running service and the configuration files is
> danger. i.e. the service running user shouldn't be change the
> configuration files.
>
> a simple attack like:
> * a hacker hacked into nova-api container with nova user
> * he can change the /etc/nova/rootwrap.conf file and
> /etc/nova/rootwrap.d file, which he can get much greater authority
> with sudo
> * he also can change the /etc/nova/nova.conf file to use another
> privsep_command.helper_command to get greater authority
>     [privsep_entrypoint]
>     helper_command=sudo nova-rootwrap /etc/nova/rootwrap.conf
> privsep-helper --config-file /etc/nova/nova.conf
>
> So right rule should be: do not let the service running user have
> write permission to configuration files,
>
> about for the nova.conf file, i think root:root with 644 permission
> or root:nova with 640 should be enough
> for the directory file, root:root with 755 or root:nova with 750
> should be enough.
>
> On Tue, Aug 23, 2016 at 11:11 PM, Steven Dake (stdake) <stdake at cisco.com>
> wrote:
> >
> >
> >
> >
> >
> > On 8/23/16, 7:05 AM, "Gerard Braad" <me at gbraad.nl> wrote:
> >
> >>On Tue, Aug 23, 2016 at 9:56 PM, lương hữu tuấn <tuantuluong at gmail.com>
> wrote:
> >>> I also prefer a dedicated user ("kolla" seems the best choice) as same
> > On Tue, Aug 23, 2016 at 3:51 PM, Paul Bourke <paul.bourke at oracle.com>
> wrote:
> >>>> In my experience operators prefer a dedicated user (kolla:kolla),
> though I
> >>
> >>kolla:kolla seems more logical and simpler to reason about.
> >>
> >
> > kolla:kolla still works with multi-user approach and permissions 660 on
> /etc/kolla files.
> >
> > Regards
> > -steve
> >
> >>
> >>--
> >>
> >>   Gerard Braad | http://gbraad.nl
> >>   [ Doing Open Source Matters ]
> >>
> >>__________________________________________________________
> ________________
> >>OpenStack Development Mailing List (not for usage questions)
> >>Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:
> unsubscribe
> >>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> > ____________________________________________________________
> ______________
> > OpenStack Development Mailing List (not for usage questions)
> > Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:
> unsubscribe
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
> --
> Regards,
> Jeffrey Zhang
> Blog: http://xcodest.me
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160824/8dbb37ac/attachment.html>