Add new security options (#20)

* Add new security options

* Implementation of notify*_user options

And improved documentation

README.md

@@ -14,7 +14,7 @@ Set up the latest or a specific version of [Keepalived](http://www.keepalived.or
 
 #### Variables
 
-* `keepalived_version` [default: `v1.3.2`]: Keepalived version to install
+* `keepalived_version`: [default: `v1.3.2`]: Keepalived version to install
 
 * `keepalived_install`: [default: `[]`]: Additional packages to install (e.g. `['libnl-3-dev', 'libnl-genl-3-dev', 'libnl-route-3-dev', 'libnfnetlink-dev']`)
 * `keepalived_configure_options`: [default: `[]`]: Options to pass to `./configure`
@@ -23,47 +23,55 @@ Set up the latest or a specific version of [Keepalived](http://www.keepalived.or
 * `keepalived_options.{n}.name`: [required]: Option name (e.g. `log-facility`)
 * `keepalived_options.{n}.value`: [optional]: Option value (e.g. `7`)
 
-* `keepalived_ip_nonlocal_bind` [default: `1`]: Allow to bind to IP addresses that are nonlocal, meaning that they're not assigned to a device on the local system
+* `keepalived_ip_nonlocal_bind`: [default: `1`]: Allow to bind to IP addresses that are nonlocal, meaning that they're not assigned to a device on the local system
 
-* `keepalived_global_defs_notification_email` [default: `['root@localhost.localdomain']`]: Email addresses to send alerts to
-* `keepalived_global_defs_notification_email_from` [default: `'root@localhost.localdomain'`]: From address that will be in header
-* `keepalived_global_defs_smtp_server` [default: `'127.0.0.1'`]: SMTP server IP address
-* `keepalived_global_defs_smtp_connect_timeout` [default: `30`]: SMTP server connect timeout in seconds
+* `keepalived_create_keepalived_script_user`: [default: `false`]: Whether or not to create the `keepalived_script` user, see `keepalived_global_defs_script_user`
 
-* `keepalived_vrrp_script_map` [default: `{}`]: Script declarations
+* `keepalived_global_defs_notification_email`: [default: `['root@localhost.localdomain']`]: Email addresses to send alerts to
+* `keepalived_global_defs_notification_email_from`: [default: `'root@localhost.localdomain'`]: From address that will be in header
+* `keepalived_global_defs_smtp_server`: [default: `'127.0.0.1'`]: SMTP server IP address
+* `keepalived_global_defs_smtp_connect_timeout`: [default: `30`]: SMTP server connect timeout in seconds
+* `keepalived_global_defs_script_user`: [optional]: Specify the default user / group to run scripts under. If group is not specified, the group of the user is used. If this option is not specified, the user defaults to `keepalived_script`. If that user exists, otherwise `root` (since `1.3.0`, e.g. `'nobody nogroup'`, )
+* `keepalived_global_defs_enable_script_security`: [optional]: Don't run scripts configured to be run as `root` if any part of the path is writable by a `non-root` user (since `1.3.0`, e.g. `true`)
+
+* `keepalived_vrrp_script_map`: [default: `{}`]: Script declarations
 * `keepalived_vrrp_script_map.key`: [required]: The identifier of the file (e.g. `check-haproxy`)
 * `keepalived_vrrp_script_map.key.src`: [required]: The local path of the file to copy, can be absolute or relative (e.g. `../../../files/keepalived/usr/local/bin/check-haproxy`)
 * `keepalived_vrrp_script_map.key.dest`: [required]: The remote path of the file to copy (e.g. `/usr/local/bin/check-haproxy`)
 * `keepalived_vrrp_script_map.key.owner`: [optional, default `root`]: The name of the user that should own the file
 * `keepalived_vrrp_script_map.key.group`: [optional, default `root`]:The name of the group that should own the file
 * `keepalived_vrrp_script_map.key.mode`: [optional, default `0750`]: The mode of the file
 
-* `keepalived_vrrp_scripts` [default: `{}`]: VRRP script declarations
+* `keepalived_vrrp_scripts`: [default: `{}`]: VRRP script declarations
 * `keepalived_vrrp_scripts.key`: The name of the VRRP script
 * `keepalived_vrrp_scripts.key.script`: The script to run periodically
-* `keepalived_vrrp_scripts.key.weight`: The check weight to adjust the priority (optional)
-* `keepalived_vrrp_scripts.key.interval`: The check interval in seconds (optional)
+* `keepalived_vrrp_scripts.key.weight`: [optional]: The check weight to adjust the priority
+* `keepalived_vrrp_scripts.key.interval`: [optional]: The check interval in seconds
 
-* `keepalived_vrrp_instances` [default: `{}`]: VRRP instance declarations
+* `keepalived_vrrp_instances`: [default: `{}`]: VRRP instance declarations
 * `keepalived_vrrp_instances.key`: The name of the VRRP instance
 * `keepalived_vrrp_instances.key.interface`: Interface bound by VRRP
 * `keepalived_vrrp_instances.key.state`: Start-up default state (`MASTER|BACKUP`). As soon as the other machine(s) come up, an election will be held and the machine with the highest `priority` will become `MASTER`
 * `keepalived_vrrp_instances.key.priority`: For electing `MASTER` highest priority (`0...255`) wins
 * `keepalived_vrrp_instances.key.virtual_router_id`: Arbitrary unique number (`0...255`) used to differentiate multiple instances of VRRPD running on the same NIC (and hence same socket)
-* `keepalived_vrrp_instances.key.advert_int`: The advert interval in seconds (optional)
-* `keepalived_vrrp_instances.key.smtp_alert`: Whether or not to send email notifications during state transitioning (optional)
+* `keepalived_vrrp_instances.key.advert_int`: [optional]: The advert interval in seconds
+* `keepalived_vrrp_instances.key.smtp_alert`: [optional]: Whether or not to send email notifications during state transitioning-
 * `keepalived_vrrp_instances.key.authentication`: Authentication block
 * `keepalived_vrrp_instances.key.authentication.auth_type`: Simple password or IPSEC AH (`PASS|AH`)
 * `keepalived_vrrp_instances.key.authentication.auth_pass`: Password string (up to 8 characters)
 * `keepalived_vrrp_instances.key.virtual_ipaddresses`: VRRP IP address block
-* `keepalived_vrrp_instances.key.nopreempt`: VRRP will normally preempt a lower priority machine when a higher priority machine comes online. This option allows the lower priority machine to maintain the master role, even when a higher priority machine comes back online. **NOTE:** For this to work, the initial state of this entry must be `BACKUP`
-* `keepalived_vrrp_instances.key.preempt_delay`: Seconds after startup until preemption (if not disabled by `nopreempt`). Range: 0 (default) to 1000 **NOTE:** For this to work, the initial state of this entry must be BACKUP
+* `keepalived_vrrp_instances.key.nopreempt`: [optional]: VRRP will normally preempt a lower priority machine when a higher priority machine comes online. This option allows the lower priority machine to maintain the master role, even when a higher priority machine comes back online. **NOTE:** For this to work, the initial state of this entry must be `BACKUP`
+* `keepalived_vrrp_instances.key.preempt_delay`: [optional]: Seconds after startup until preemption (if not disabled by `nopreempt`). Range: 0 (default) to 1000 **NOTE:** For this to work, the initial state of this entry must be BACKUP
 * `keepalived_vrrp_instances.key.track_scripts`: Scripts state we monitor
 
-* `keepalived_vrrp_instances.key.notify`: Scripts that is invoked when a server changes state
-* `keepalived_vrrp_instances.key.notify_backup`: Scripts that is invoked when a server changes state (to `BACKUP`)
-* `keepalived_vrrp_instances.key.notify_fault`: Scripts that is invoked when a server changes state (to `FAULT`)
-* `keepalived_vrrp_instances.key.notify_master`: Scripts that is invoked when a server changes state (to `MASTER`)
+* `keepalived_vrrp_instances.key.notify`: [optional]: Scripts that is invoked when a server changes state
+* `keepalived_vrrp_instances.key.notify_user`: [optional]: Specify the user / group to run this script under (since `1.3.0`, e.g. `'nobody nogroup'`)
+* `keepalived_vrrp_instances.key.notify_backup`: [optional]: Scripts that is invoked when a server changes state (to `BACKUP`)
+* `keepalived_vrrp_instances.key.notify_backup_user`: [optional]: Specify the user / group to run this script under (since `1.3.0`)
+* `keepalived_vrrp_instances.key.notify_fault`: [optional]: Scripts that is invoked when a server changes state (to `FAULT`)
+* `keepalived_vrrp_instances.key.notify_fault_user`: [optional]: Specify the user / group to run this script under (since `1.3.0`)
+* `keepalived_vrrp_instances.key.notify_master`: [optional]: Scripts that is invoked when a server changes state (to `MASTER`)
+* `keepalived_vrrp_instances.key.notify_master_user`: [optional]: Specify the user / group to run this script under (since `1.3.0`)
 
 #### Dependencies
 
@@ -81,7 +89,7 @@ None
       - name: log-detail
     keepalived_vrrp_scripts:
       chk_haproxy:
-        script: 'killall -0 haproxy'
+        script: '/bin/pidof haproxy'
         weight: 2
         interval: 1
 

defaults/main.yml

@@ -7,6 +7,8 @@ keepalived_options: []
 
 keepalived_ip_nonlocal_bind: 1
 
+keepalived_create_keepalived_script_user: false
+
 keepalived_global_defs_notification_email:
   - 'root@localhost.localdomain'
 keepalived_global_defs_notification_email_from: 'root@localhost.localdomain'

tasks/main.yml

@@ -108,6 +108,20 @@
     - keepalived
     - keepalived-install
 
+- name: add script user
+  user:
+    name: keepalived_script
+    comment: 'keepalived script'
+    home: /nonexistent
+    shell: /bin/false
+    system: yes
+  when: keepalived_create_keepalived_script_user
+  tags:
+    - configuration
+    - keepalived
+    - keepalived-script
+    - keepalived-script-user
+
 - name: cleanup build
   shell: git reset --hard && git clean -d -x -f
   args:

templates/etc/keepalived/keepalived.conf.j2

@@ -9,6 +9,13 @@ global_defs {
   notification_email_from {{ keepalived_global_defs_notification_email_from }}
   smtp_server {{ keepalived_global_defs_smtp_server }}
   smtp_connect_timeout {{ keepalived_global_defs_smtp_connect_timeout }}
+
+{% if keepalived_global_defs_script_user is defined %}
+  script_user {{ keepalived_global_defs_script_user }}
+{% endif %}
+{% if keepalived_global_defs_enable_script_security is defined and keepalived_global_defs_enable_script_security | bool %}
+  enable_script_security
+{% endif %}
 }
 
 {% for key, value in keepalived_vrrp_scripts.iteritems() %}
@@ -20,6 +27,9 @@ vrrp_script {{ key }} {
 {% if value.interval is defined and value.interval | int %}
   interval {{ value.interval }}
 {% endif %}
+{% if value.user is defined %}
+  user {{ value.user }}
+{% endif %}
 }
 {% endfor %}
 
@@ -62,16 +72,16 @@ vrrp_instance {{ key }} {
   }
 
 {% if value.notify is defined %}
-  notify "{{ value.notify }}"
+  notify "{{ value.notify }}" {{ value.notify_user | default('') }}
 {% endif %}
 {% if value.notify_backup is defined %}
-  notify_backup "{{ value.notify_backup }}"
+  notify_backup "{{ value.notify_backup }}" {{ value.notify_backup_user | default('') }}
 {% endif %}
 {% if value.notify_fault is defined %}
-  notify_fault "{{ value.notify_fault }}"
+  notify_fault "{{ value.notify_fault }}" {{ value.notify_fault_user | default('') }}
 {% endif %}
 {% if value.notify_master is defined %}
-  notify_master "{{ value.notify_master }}"
+  notify_master "{{ value.notify_master }}" {{ value.notify_master_user | default('') }}
 {% endif %}
 }
 {% endfor %}

tests/vagrant.yml

@@ -6,6 +6,10 @@
   roles:
     - ../../
   vars:
+    keepalived_create_keepalived_script_user: true
+#    keepalived_global_defs_script_user: 'nobody nogroup'
+    keepalived_global_defs_script_user: keepalived_script
+    keepalived_global_defs_enable_script_security: true
 #    keepalived_install:
 #      - libnl-3-dev
 #      - libnl-genl-3-dev
@@ -20,16 +24,20 @@
 
     keepalived_options:
       - name: log-detail
+#      - name: log-facility
+#        value: 7
 #    keepalived_vrrp_script_map:
 #      keepalived-notify:
 #        src: ../../../files/keepalived/usr/local/bin/keepalived-notify
 #        dest: /usr/local/bin/keepalived-notify
+#        group: "{{ keepalived_global_defs_script_user }}"
 
     keepalived_vrrp_scripts:
-      chk_haproxy:
-        script: 'killall -0 haproxy'
+      chk_sshd:
+        script: '/bin/pidof sshd'
         weight: 2
         interval: 1
+#        user: "{{ keepalived_global_defs_script_user }}"
 
     keepalived_vrrp_instances:
       VI_1:
@@ -46,6 +54,7 @@
           - '10.0.0.10/24 dev eth1 label eth1:1'
 
         track_scripts:
-          - chk_haproxy
+          - chk_sshd
 
 #        notify: "{{ keepalived_vrrp_script_map['keepalived-notify']['dest'] }}"
+#        notify_user: root