Zameer Manji created AURORA-1753:
------------------------------------
Summary: Thermos does not kill processes that setuid to another
user.
Key: AURORA-1753
URL: https://issues.apache.org/jira/browse/AURORA-1753
Project: Aurora
Issue Type: Bug
Reporter: Zameer Manji
Core thermos has a heuristic to ensure we do not kill processes that were not
launched by it. The code is below:
{noformat}
@classmethod
def this_is_really_our_pid(cls, process, uid, user, start_time):
"""
A heuristic to make sure that this is likely the pid that we own/forked.
Necessary
because of pid-space wrapping. We don't want to go and kill processes we
don't own,
especially if the killer is running as root.
process: psutil.Process representing the process to check
uid: uid expected to own the process (or None if not available)
user: username expected to own the process
start_time: time at which it's expected the process has started
Raises:
psutil.NoSuchProcess - if the Process supplied no longer exists
"""
process_create_time = process.create_time()
if abs(start_time - process_create_time) >=
cls.MAX_START_TIME_DRIFT.as_(Time.SECONDS):
log.info("Expected pid %s start time to be %s but it's %s" % (
process.pid, start_time, process_create_time))
return False
if uid is not None:
# If the uid was provided, it is gospel, so do not consider user.
try:
uids = process.uids()
if uids is None:
return False
process_uid = uids.real
except psutil.Error:
return False
if process_uid == uid:
return True
else:
log.info("Expected pid %s to be ours but the pid uid is %s and we're
%s" % (
process.pid, process_uid, uid))
return False
try:
process_user = process.username()
except KeyError:
return False
if process_user == user:
# If the uid was not provided, we must use user -- which is possibly
flaky if the
# user gets deleted from the system, so process_user will be None and we
must
# return False.
log.info("Expected pid %s to be ours but the pid user is %s and we're %s"
% (
process.pid, process_user, user))
return True
return False
{noformat}
This code prevents thermos from killing a process that was launched with uid 0
but then later uses {{setuid(2)}} to change its user to something else.
A concrete example of this is when one uses Docker and Aurora. A Docker
container implicitly triggers the {{--nosetuid}} flag behaviour which means all
processes forked by thermos run as root. A container process could later
downgrade itself to another user for security reasons. Doing this means thermos
will not kill it when shutting down the container.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
