[
https://issues.apache.org/jira/browse/AURORA-1753?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Zameer Manji reassigned AURORA-1753:
------------------------------------
Assignee: Zameer Manji
> Thermos does not kill processes that setuid to another user.
> -------------------------------------------------------------
>
> Key: AURORA-1753
> URL: https://issues.apache.org/jira/browse/AURORA-1753
> Project: Aurora
> Issue Type: Bug
> Reporter: Zameer Manji
> Assignee: Zameer Manji
>
> Core thermos has a heuristic to ensure we do not kill processes that were not
> launched by it. The code is below:
> {noformat}
> @classmethod
> def this_is_really_our_pid(cls, process, uid, user, start_time):
> """
> A heuristic to make sure that this is likely the pid that we
> own/forked. Necessary
> because of pid-space wrapping. We don't want to go and kill processes
> we don't own,
> especially if the killer is running as root.
> process: psutil.Process representing the process to check
> uid: uid expected to own the process (or None if not available)
> user: username expected to own the process
> start_time: time at which it's expected the process has started
> Raises:
> psutil.NoSuchProcess - if the Process supplied no longer exists
> """
> process_create_time = process.create_time()
> if abs(start_time - process_create_time) >=
> cls.MAX_START_TIME_DRIFT.as_(Time.SECONDS):
> log.info("Expected pid %s start time to be %s but it's %s" % (
> process.pid, start_time, process_create_time))
> return False
> if uid is not None:
> # If the uid was provided, it is gospel, so do not consider user.
> try:
> uids = process.uids()
> if uids is None:
> return False
> process_uid = uids.real
> except psutil.Error:
> return False
> if process_uid == uid:
> return True
> else:
> log.info("Expected pid %s to be ours but the pid uid is %s and we're
> %s" % (
> process.pid, process_uid, uid))
> return False
> try:
> process_user = process.username()
> except KeyError:
> return False
> if process_user == user:
> # If the uid was not provided, we must use user -- which is possibly
> flaky if the
> # user gets deleted from the system, so process_user will be None and
> we must
> # return False.
> log.info("Expected pid %s to be ours but the pid user is %s and we're
> %s" % (
> process.pid, process_user, user))
> return True
> return False
> {noformat}
> This code prevents thermos from killing a process that was launched with uid
> 0 but then later uses {{setuid(2)}} to change its user to something else.
> A concrete example of this is when one uses Docker and Aurora. A Docker
> container implicitly triggers the {{--nosetuid}} flag behaviour which means
> all processes forked by thermos run as root. A container process could later
> downgrade itself to another user for security reasons. Doing this means
> thermos will not kill it when shutting down the container.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
