Re: [openstack-dev] [kolla] Kolla configuration files owner and permission
Oh, my bad for the write permission of nova user. That should not be like this. Thanks Jeffrey. Cheers, T On Wed, Aug 24, 2016 at 2:39 PM, Jeffrey Zhangwrote: > On Wed, Aug 24, 2016 at 5:24 PM, lương hữu tuấn > wrote: > > However, with config file as nova.conf or in this case e.g. kolla.conf, > it > > should be kolla:kolla and only owner can write as well, it means 644 > since > > the kolla service is run under the name of kolla user, it is the same > with > > other services in OpenStack. > > there is no kolla.conf file in any containers. > > > > > With the folder, e.g. /etc/kolla or /etc/nova, it should be also > > read/write/executable with kolla user and kolla group since kolla service > > running with kolla user should have permission to get information from > > kolla.conf. > > for the nova.conf, why the nova user need to write/change the nova.conf > file? > > > > > -- > Regards, > Jeffrey Zhang > Blog: http://xcodest.me > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [kolla] Kolla configuration files owner and permission
On Wed, Aug 24, 2016 at 5:24 PM, lương hữu tuấnwrote: > However, with config file as nova.conf or in this case e.g. kolla.conf, it > should be kolla:kolla and only owner can write as well, it means 644 since > the kolla service is run under the name of kolla user, it is the same with > other services in OpenStack. there is no kolla.conf file in any containers. > > With the folder, e.g. /etc/kolla or /etc/nova, it should be also > read/write/executable with kolla user and kolla group since kolla service > running with kolla user should have permission to get information from > kolla.conf. for the nova.conf, why the nova user need to write/change the nova.conf file? -- Regards, Jeffrey Zhang Blog: http://xcodest.me __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [kolla] Kolla configuration files owner and permission
Hi Jeffrey, You are right with the rootwrap file since it is the root wrapper of the specific service, e.g. nova. Then we should permit it as root:root and only the owner can write. However, with config file as nova.conf or in this case e.g. kolla.conf, it should be kolla:kolla and only owner can write as well, it means 644 since the kolla service is run under the name of kolla user, it is the same with other services in OpenStack. With the folder, e.g. /etc/kolla or /etc/nova, it should be also read/write/executable with kolla user and kolla group since kolla service running with kolla user should have permission to get information from kolla.conf. Br, Tuan On Wed, Aug 24, 2016 at 3:22 AM, Jeffrey Zhangwrote: > Using the same user for running service and the configuration files is > danger. i.e. the service running user shouldn't be change the > configuration files. > > a simple attack like: > * a hacker hacked into nova-api container with nova user > * he can change the /etc/nova/rootwrap.conf file and > /etc/nova/rootwrap.d file, which he can get much greater authority > with sudo > * he also can change the /etc/nova/nova.conf file to use another > privsep_command.helper_command to get greater authority > [privsep_entrypoint] > helper_command=sudo nova-rootwrap /etc/nova/rootwrap.conf > privsep-helper --config-file /etc/nova/nova.conf > > So right rule should be: do not let the service running user have > write permission to configuration files, > > about for the nova.conf file, i think root:root with 644 permission > or root:nova with 640 should be enough > for the directory file, root:root with 755 or root:nova with 750 > should be enough. > > On Tue, Aug 23, 2016 at 11:11 PM, Steven Dake (stdake) > wrote: > > > > > > > > > > > > On 8/23/16, 7:05 AM, "Gerard Braad" wrote: > > > >>On Tue, Aug 23, 2016 at 9:56 PM, lương hữu tuấn > wrote: > >>> I also prefer a dedicated user ("kolla" seems the best choice) as same > > On Tue, Aug 23, 2016 at 3:51 PM, Paul Bourke > wrote: > In my experience operators prefer a dedicated user (kolla:kolla), > though I > >> > >>kolla:kolla seems more logical and simpler to reason about. > >> > > > > kolla:kolla still works with multi-user approach and permissions 660 on > /etc/kolla files. > > > > Regards > > -steve > > > >> > >>-- > >> > >> Gerard Braad | http://gbraad.nl > >> [ Doing Open Source Matters ] > >> > >>__ > > >>OpenStack Development Mailing List (not for usage questions) > >>Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject: > unsubscribe > >>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > __ > > OpenStack Development Mailing List (not for usage questions) > > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject: > unsubscribe > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > -- > Regards, > Jeffrey Zhang > Blog: http://xcodest.me > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [kolla] Kolla configuration files owner and permission
Using the same user for running service and the configuration files is danger. i.e. the service running user shouldn't be change the configuration files. a simple attack like: * a hacker hacked into nova-api container with nova user * he can change the /etc/nova/rootwrap.conf file and /etc/nova/rootwrap.d file, which he can get much greater authority with sudo * he also can change the /etc/nova/nova.conf file to use another privsep_command.helper_command to get greater authority [privsep_entrypoint] helper_command=sudo nova-rootwrap /etc/nova/rootwrap.conf privsep-helper --config-file /etc/nova/nova.conf So right rule should be: do not let the service running user have write permission to configuration files, about for the nova.conf file, i think root:root with 644 permission or root:nova with 640 should be enough for the directory file, root:root with 755 or root:nova with 750 should be enough. On Tue, Aug 23, 2016 at 11:11 PM, Steven Dake (stdake)wrote: > > > > > > On 8/23/16, 7:05 AM, "Gerard Braad" wrote: > >>On Tue, Aug 23, 2016 at 9:56 PM, lương hữu tuấn wrote: >>> I also prefer a dedicated user ("kolla" seems the best choice) as same > On >>> Tue, Aug 23, 2016 at 3:51 PM, Paul Bourke wrote: In my experience operators prefer a dedicated user (kolla:kolla), though I >> >>kolla:kolla seems more logical and simpler to reason about. >> > > kolla:kolla still works with multi-user approach and permissions 660 on > /etc/kolla files. > > Regards > -steve > >> >>-- >> >> Gerard Braad | http://gbraad.nl >> [ Doing Open Source Matters ] >> >>__ >>OpenStack Development Mailing List (not for usage questions) >>Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Regards, Jeffrey Zhang Blog: http://xcodest.me __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [kolla] Kolla configuration files owner and permission
On 8/23/16, 7:05 AM, "Gerard Braad"wrote: >On Tue, Aug 23, 2016 at 9:56 PM, lương hữu tuấn wrote: >> I also prefer a dedicated user ("kolla" seems the best choice) as same > On >> Tue, Aug 23, 2016 at 3:51 PM, Paul Bourke wrote: >>> In my experience operators prefer a dedicated user (kolla:kolla), though I > >kolla:kolla seems more logical and simpler to reason about. > kolla:kolla still works with multi-user approach and permissions 660 on /etc/kolla files. Regards -steve > >-- > > Gerard Braad | http://gbraad.nl > [ Doing Open Source Matters ] > >__ >OpenStack Development Mailing List (not for usage questions) >Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [kolla] Kolla configuration files owner and permission
On Tue, Aug 23, 2016 at 9:56 PM, lương hữu tuấnwrote: > I also prefer a dedicated user ("kolla" seems the best choice) as same > On > Tue, Aug 23, 2016 at 3:51 PM, Paul Bourke wrote: >> In my experience operators prefer a dedicated user (kolla:kolla), though I kolla:kolla seems more logical and simpler to reason about. -- Gerard Braad | http://gbraad.nl [ Doing Open Source Matters ] __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [kolla] Kolla configuration files owner and permission
I also prefer a dedicated user ("kolla" seems the best choice) as same as other projects in OpenStack. Cheers, Tuan On Tue, Aug 23, 2016 at 3:51 PM, Paul Bourkewrote: > In my experience operators prefer a dedicated user (kolla:kolla), though I > can't see any major problem with your root:kolla approach. > > > On 23/08/16 14:40, Steven Dake (stdake) wrote: > >> >> >> >> >> >> On 8/23/16, 1:04 AM, "duon...@vn.fujitsu.com" >> wrote: >> >> Hi S.Dake, >>> >>> Hello Kollish, > > I am working on bp ansible-specific-task-become so I need community > opinion about Kolla configuration files owner and permissions. > > For files in "/var/lib/kolla", it's quite clear that the owner should > be 'root' as currently. > > For files in "/etc/kolla": After discussion with S.Dake on IRC, he > recommends /etc/kolla is owned by root and all files in it is 660 > (writable > by a group). > Just to add a bit of clarity, the rationale for this idea is that a group of operators could add themselves to the kolla group on all of the nodes and use their specific ssh keys to operate OpenStack. > This is why the group concept in unix was invented 50 odd years ago ;) >>> >>> I just notice that if the directory has 660, so non-root user cannot >>> access file in this folder. It seems conflict with group purpose. >>> Should it be 770 for folders? >>> >> >> Yes 770 for folders 660 for files seeded by the user ids and their ssh >> keys in the host playbook that is in the review queue. Changes to the host >> playbook in the review queue should come later for this group based model. >> >> The real question is what do operators prefer? Single user (non-root), >> Multi-user (non-root), or Single user (root). >> >> Regards >> -steve >> >>> >>> Regards -steve >>> >>> >>> Best regards, >>> >>> duonghq >>> PODC - Fujitsu Vietnam Ltd. >>> >>> >>> >>> >>> __ >>> OpenStack Development Mailing List (not for usage questions) >>> Unsubscribe: openstack-dev-requ...@lists.op >>> enstack.org?subject:unsubscribe >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>> >> >> __ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscrib >> e >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [kolla] Kolla configuration files owner and permission
In my experience operators prefer a dedicated user (kolla:kolla), though I can't see any major problem with your root:kolla approach. On 23/08/16 14:40, Steven Dake (stdake) wrote: On 8/23/16, 1:04 AM, "duon...@vn.fujitsu.com"wrote: Hi S.Dake, Hello Kollish, I am working on bp ansible-specific-task-become so I need community opinion about Kolla configuration files owner and permissions. For files in "/var/lib/kolla", it's quite clear that the owner should be 'root' as currently. For files in "/etc/kolla": After discussion with S.Dake on IRC, he recommends /etc/kolla is owned by root and all files in it is 660 (writable by a group). Just to add a bit of clarity, the rationale for this idea is that a group of operators could add themselves to the kolla group on all of the nodes and use their specific ssh keys to operate OpenStack. > This is why the group concept in unix was invented 50 odd years ago ;) I just notice that if the directory has 660, so non-root user cannot access file in this folder. It seems conflict with group purpose. Should it be 770 for folders? Yes 770 for folders 660 for files seeded by the user ids and their ssh keys in the host playbook that is in the review queue. Changes to the host playbook in the review queue should come later for this group based model. The real question is what do operators prefer? Single user (non-root), Multi-user (non-root), or Single user (root). Regards -steve Regards -steve Best regards, duonghq PODC - Fujitsu Vietnam Ltd. __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [kolla] Kolla configuration files owner and permission
On 8/23/16, 1:04 AM, "duon...@vn.fujitsu.com"wrote: >Hi S.Dake, > >>> Hello Kollish, >>> >>> I am working on bp ansible-specific-task-become so I need community opinion >>> about Kolla configuration files owner and permissions. >>> >>> For files in "/var/lib/kolla", it's quite clear that the owner should be >>> 'root' as currently. >>> >>> For files in "/etc/kolla": After discussion with S.Dake on IRC, he >>> recommends /etc/kolla is owned by root and all files in it is 660 (writable >>> by a group). >> >> Just to add a bit of clarity, the rationale for this idea is that a group of >> operators could add themselves to the kolla group on all of the nodes and >> use their specific ssh keys to operate OpenStack. > This is why the group >> concept in unix was invented 50 odd years ago ;) > >I just notice that if the directory has 660, so non-root user cannot access >file in this folder. It seems conflict with group purpose. >Should it be 770 for folders? Yes 770 for folders 660 for files seeded by the user ids and their ssh keys in the host playbook that is in the review queue. Changes to the host playbook in the review queue should come later for this group based model. The real question is what do operators prefer? Single user (non-root), Multi-user (non-root), or Single user (root). Regards -steve > >> Regards >> -steve > > >Best regards, > >duonghq >PODC - Fujitsu Vietnam Ltd. > > > >__ >OpenStack Development Mailing List (not for usage questions) >Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [kolla] Kolla configuration files owner and permission
Hi S.Dake, >> Hello Kollish, >> >> I am working on bp ansible-specific-task-become so I need community opinion >> about Kolla configuration files owner and permissions. >> >> For files in "/var/lib/kolla", it's quite clear that the owner should be >> 'root' as currently. >> >> For files in "/etc/kolla": After discussion with S.Dake on IRC, he >> recommends /etc/kolla is owned by root and all files in it is 660 (writable >> by a group). > > Just to add a bit of clarity, the rationale for this idea is that a group of > operators could add themselves to the kolla group on all of the nodes and use > their specific ssh keys to operate OpenStack. > This is why the group > concept in unix was invented 50 odd years ago ;) I just notice that if the directory has 660, so non-root user cannot access file in this folder. It seems conflict with group purpose. Should it be 770 for folders? > Regards > -steve Best regards, duonghq PODC - Fujitsu Vietnam Ltd. __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [kolla] Kolla configuration files owner and permission
It indeed makes me frightened when i just stopped at the part of "writable by a group" of configuration files and tried myself to figure out what you guys discussing on IRC. Thanks Steve for making clear about "group of operators". Cheers, Tuan On 08/23/2016 07:29 AM, Steven Dake (stdake) wrote: On 8/22/16, 7:24 PM, "duon...@vn.fujitsu.com"wrote: Hello Kollish, I am working on bp ansible-specific-task-become so I need community opinion about Kolla configuration files owner and permissions. For files in "/var/lib/kolla", it's quite clear that the owner should be 'root' as currently. For files in "/etc/kolla": After discussion with S.Dake on IRC, he recommends /etc/kolla is owned by root and all files in it is 660 (writable by a group). Just to add a bit of clarity, the rationale for this idea is that a group of operators could add themselves to the kolla group on all of the nodes and use their specific ssh keys to operate OpenStack. This is why the group concept in unix was invented 50 odd years ago ;) Regards -steve Anybody has idea about this topic? Best regards, Ha Quang Duong (Mr.) PODC - Fujitsu Vietnam Ltd. __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [kolla] Kolla configuration files owner and permission
On 8/22/16, 7:24 PM, "duon...@vn.fujitsu.com"wrote: >Hello Kollish, > >I am working on bp ansible-specific-task-become so I need community opinion >about Kolla configuration files owner and permissions. > >For files in "/var/lib/kolla", it's quite clear that the owner should be >'root' as currently. > >For files in "/etc/kolla": After discussion with S.Dake on IRC, he recommends >/etc/kolla is owned by root and all files in it is 660 (writable by a group). Just to add a bit of clarity, the rationale for this idea is that a group of operators could add themselves to the kolla group on all of the nodes and use their specific ssh keys to operate OpenStack. This is why the group concept in unix was invented 50 odd years ago ;) Regards -steve > >Anybody has idea about this topic? > >Best regards, > >Ha Quang Duong (Mr.) >PODC - Fujitsu Vietnam Ltd. > > >__ >OpenStack Development Mailing List (not for usage questions) >Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [kolla] Kolla configuration files owner and permission
Hello Kollish, I am working on bp ansible-specific-task-become so I need community opinion about Kolla configuration files owner and permissions. For files in "/var/lib/kolla", it's quite clear that the owner should be 'root' as currently. For files in "/etc/kolla": After discussion with S.Dake on IRC, he recommends /etc/kolla is owned by root and all files in it is 660 (writable by a group). Anybody has idea about this topic? Best regards, Ha Quang Duong (Mr.) PODC - Fujitsu Vietnam Ltd. __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev