From d70571bb9b1c50071773024c0c4675058a603219 Mon Sep 17 00:00:00 2001 From: Iustin Pop <iustin@google.com> Date: Fri, 8 Feb 2013 15:47:07 +0100 Subject: [PATCH] Update the security document for Ganeti 2.7 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This should address 359, but I'm not sure if it covers all of 2.7β¦ Signed-off-by: Iustin Pop <iustin@google.com> Reviewed-by: Michael Hanselmann <hansmi@google.com> --- doc/security.rst | 51 ++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 49 insertions(+), 2 deletions(-) diff --git a/doc/security.rst b/doc/security.rst index 14e93c4a3..4b4e9765d 100644 --- a/doc/security.rst +++ b/doc/security.rst @@ -50,10 +50,38 @@ on this node; the RPC method will run only: drbd devices, start/stop instances, etc; - run well-defined SSH commands on other nodes in the cluster - scripts under the ``/etc/ganeti/hooks`` directory +- scripts under the ``/etc/ganeti/restricted-commands`` directory, if + this feature has been enabled at build time (see below) It is therefore important to make sure that the contents of the -``/etc/ganeti/hooks`` directory is supervised and only trusted sources -can populate it. +``/etc/ganeti/hooks`` and ``/etc/ganeti/restricted-commands`` +directories are supervised and only trusted sources can populate them. + +Restricted commands +~~~~~~~~~~~~~~~~~~~ + +The restricted commands feature is new in Ganeti 2.7. It enables the +administrator to run any commands in the +``/etc/ganeti/restricted-commands`` directory, if the feature has been +enabled at build time, subject to the following restrictions: + +- No parameters may be passed +- No absolute or relative path may be passed, only a filename +- The ``/etc/ganeti/restricted-commands`` directory must + be owned by root:root and have mode 0755 or stricter +- Executables must be regular files or symlinks, and must be executable + by root:root + +Note that it's not possible to list the contents of the directory, and +there is an intentional delay when trying to execute a non-existing +command (to slow-down dictionary attacks). + +Since for Ganeti itself this functionality is not needed, and is only +provided as a way to help administrate or recover nodes, it is a local +site decision whether to enable or not the restricted commands feature. + +By default, this feature is disabled. + Cluster issues -------------- @@ -94,6 +122,25 @@ before serving requests. This permission-based protection is documented and works on Linux, but is not-portable; however, Ganeti doesn't work on non-Linux system at the moment. +Conf daemon +----------- + +In Ganeti 2.7, the ``confd`` daemon (if enabled at build time), serves +both network-originated queries (about the static configuration) and +local (UNIX socket) queries (about the run-time configuration; answering +these means talking to other cluster nodes, which makes use of the +internal RPC SSL certificate). This makes it a bit more sensitive to +bugs (a remote attacker could get direct access to the intra-cluster +RPC), so to harden security it's recommended to: + +- disable confd at build time if it's not needed in your setup +- otherwise, configure Ganeti (at build time) to use separate users, so + that the confd daemon doesn't also have access to the server SSL/TLS + certificates + +It is planned to split the two functionalities (local/remote querying) +of confd into two separate daemons in a future Ganeti version. + Remote API ---------- -- GitLab