Commit 46f6fb34 authored by Hrvoje Ribicic's avatar Hrvoje Ribicic

Introduce separate user for metad with port capabilites

The metadata daemon was previously running as root due to its need to
open port 80 to provide information to instances. To allow the daemon
to run in a more secure way, this patch adds a separate metadata user,
and grants the metad executable the CAP_NET_BIND_SERVICE capability.
As a result, the metadata daemon can use the port 80 without having to
acquire the full set of root capabilities and drop it later.
Signed-off-by: default avatarHrvoje Ribicic <riba@google.com>
Reviewed-by: default avatarKlaus Aehlig <aehlig@google.com>
parent 34244e0f
......@@ -2360,6 +2360,8 @@ src/AutoConf.hs: Makefile src/AutoConf.hs.in $(PRINT_PY_CONSTANTS) \
-DNODED_GROUP="$(NODED_GROUP)" \
-DMOND_USER="$(MOND_USER)" \
-DMOND_GROUP="$(MOND_GROUP)" \
-DMETAD_USER="$(METAD_USER)" \
-DMETAD_GROUP="$(METAD_GROUP)" \
-DDISK_SEPARATOR="$(DISK_SEPARATOR)" \
-DQEMUIMG_PATH="$(QEMUIMG_PATH)" \
-DXEN_CMD="$(XEN_CMD)" \
......@@ -2453,6 +2455,7 @@ $(REPLACE_VARS_SED): $(SHELL_ENV_INIT) Makefile stamp-directories
echo 's#@''GNTLUXIDUSER@#$(LUXID_USER)#g'; \
echo 's#@''GNTNODEDUSER@#$(NODED_USER)#g'; \
echo 's#@''GNTMONDUSER@#$(MOND_USER)#g'; \
echo 's#@''GNTMETADUSER@#$(METAD_USER)#g'; \
echo 's#@''GNTRAPIGROUP@#$(RAPI_GROUP)#g'; \
echo 's#@''GNTADMINGROUP@#$(ADMIN_GROUP)#g'; \
echo 's#@''GNTCONFDGROUP@#$(CONFD_GROUP)#g'; \
......@@ -2461,6 +2464,7 @@ $(REPLACE_VARS_SED): $(SHELL_ENV_INIT) Makefile stamp-directories
echo 's#@''GNTLUXIDGROUP@#$(LUXID_GROUP)#g'; \
echo 's#@''GNTMASTERDGROUP@#$(MASTERD_GROUP)#g'; \
echo 's#@''GNTMONDGROUP@#$(MOND_GROUP)#g'; \
echo 's#@''GNTMETADGROUP@#$(METAD_GROUP)#g'; \
echo 's#@''GNTDAEMONSGROUP@#$(DAEMONS_GROUP)#g'; \
echo 's#@''CUSTOM_ENABLE_MOND@#$(ENABLE_MOND)#g'; \
echo 's#@''MODULES@#$(strip $(lint_python_code))#g'; \
......
......@@ -337,7 +337,7 @@ AC_ARG_WITH([user-prefix],
[ to change the default)]
)],
[user_masterd="${withval}masterd";
user_metad="$user_default";
user_metad="${withval}metad";
user_rapi="${withval}rapi";
user_confd="${withval}confd";
user_wconfd="${withval}masterd";
......@@ -363,6 +363,7 @@ AC_SUBST(KVMD_USER, $user_kvmd)
AC_SUBST(LUXID_USER, $user_luxid)
AC_SUBST(NODED_USER, $user_noded)
AC_SUBST(MOND_USER, $user_mond)
AC_SUBST(METAD_USER, $user_metad)
# --with-group-prefix=...
AC_ARG_WITH([group-prefix],
......@@ -378,7 +379,7 @@ AC_ARG_WITH([group-prefix],
group_kvmd="$group_default";
group_luxid="${withval}luxid";
group_masterd="${withval}masterd";
group_metad="$group_default";
group_metad="${withval}metad";
group_noded="$group_default";
group_daemons="${withval}daemons";
group_mond="$group_default"],
......@@ -404,6 +405,7 @@ AC_SUBST(METAD_GROUP, $group_metad)
AC_SUBST(NODED_GROUP, $group_noded)
AC_SUBST(DAEMONS_GROUP, $group_daemons)
AC_SUBST(MOND_GROUP, $group_mond)
AC_SUBST(METAD_GROUP, $group_metad)
# Print the config to the user
AC_MSG_NOTICE([Running ganeti-masterd as $group_masterd:$group_masterd])
......
......@@ -108,12 +108,27 @@ _daemon_usergroup() {
mond)
echo "@GNTMONDUSER@:@GNTMONDGROUP@"
;;
metad)
echo "@GNTMETADUSER@:@GNTMETADGROUP@"
;;
*)
echo "root:@GNTDAEMONSGROUP@"
;;
esac
}
# Specifies the additional capabilities needed by individual daemons
_daemon_caps() {
case "$1" in
metad)
echo "cap_net_bind_service=+ep"
;;
*)
echo ""
;;
esac
}
# Checks whether the local machine is part of a cluster
check_config() {
local server_pem=$DATA_DIR/server.pem
......@@ -280,6 +295,12 @@ start() {
@PKGLIBDIR@/ensure-dirs
# Grant capabilities to daemons that need them
local daemoncaps=$(_daemon_caps $plain_name)
if [[ "$daemoncaps" != "" ]]; then
setcap $daemoncaps $(readlink -f $daemonexec)
fi
if type -p start-stop-daemon >/dev/null; then
start-stop-daemon --start --quiet --oknodo \
--pidfile $pidfile \
......
......@@ -6,9 +6,12 @@ PartOf = ganeti-noded.target
[Service]
Type = simple
Group = @GNTDAEMONSGROUP@
User = @GNTMETADUSER@
Group = @GNTMETADGROUP@
ExecStart = @SBINDIR@/ganeti-metad -f
Restart = on-failure
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
Capabilities=cap_net_bind_service+=ep
# ganeti-metad is started on-demand by noded, so there must be no Install
# section.
......@@ -4,6 +4,7 @@
@GNTLUXIDUSER@ @GNTDAEMONSGROUP@
@GNTRAPIUSER@ @GNTDAEMONSGROUP@
@GNTMONDUSER@ @GNTDAEMONSGROUP@
@GNTMETADUSER@ @GNTDAEMONSGROUP@
@GNTMASTERUSER@ @GNTADMINGROUP@
@GNTRAPIUSER@ @GNTADMINGROUP@
@GNTMASTERUSER@ @GNTCONFDGROUP@
......
......@@ -6,3 +6,4 @@
@GNTWCONFDGROUP@
@GNTLUXIDGROUP@
@GNTMONDGROUP@
@GNTMETADGROUP@
......@@ -4,4 +4,5 @@
@GNTWCONFDUSER@ @GNTWCONFDGROUP@
@GNTLUXIDUSER@ @GNTLUXIDGROUP@
@GNTMONDUSER@ @GNTMONDGROUP@
@GNTMETADUSER@ @GNTMETADGROUP@
@GNTNODEDUSER@
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment