Change pot root mountpoint to require root privileges #218
Conversation
|
While I agree with the need to improve security, I have few remarks:
|
|
Protecting just the mountpoints would work for me, if it’s done reliably. This would also have the advantage of protecting existing pot installations on update. The reason I brought up pot.conf is that many potluck images use (or at least used in the past) environment variables to configure the pot, including things like passwords. For the images I use I changed this to using vault cubbyhole wrapped secrets instead, which I place in a file in a mount-in path with appropriate permissions. The other reason I changed permissions of /opt/pot/jails is that it’s easy to control - getting all mountpoints right might be a bit more work/complicated, but maybe I’m a bit too pessimistic there. |
|
@pizzamig I updated the review with a draft quality patch (not thoroughly tested and unit tests not adapted) that tries to do two things:
Do you think this is a viable approach? |
grembo
changed the title
grembo
force-pushed
the
run-as-root
branch
12 times, most recently
from
c67ebb3
to
2e7462c
Compare
grembo
changed the title
grembo
force-pushed
the
run-as-root
branch
12 times, most recently
from
10c055e
to
3986916
Compare
grembo
force-pushed
the
run-as-root
branch
3 times, most recently
from
373aa87
to
6b0a9ec
Compare
|
What's also a bit unclear is how this would work for type multi pots (I'm not using these myself). |
|
@pizzamig It seems like that monitor doesn't for for commands that are run in a subshell (e.g., to capture their output) - as counters are set in the wrong shell. This could be worked around by using a temporary file in monitor.sh. |
|
multi: you have a monitor is useless if the stub command is executed in a subshell. I constantly forget about it every time I use it. |
grembo
force-pushed
the
run-as-root
branch
2 times, most recently
from
80b71cc
to
f301e99
Compare
I implemented a monitor that can trace commands in subshells as well - this helps a lot with anything ZFS, where all calls are stubbed and no side-effects would be visible otherwise. Implemented separately in #220, I rebased this review on top of that one. |
This is a first attempt to check if the approach makes sense. Not really tested.
We leave usr.local and custom mountpoint unaltered.
|
While the proposed patch is good to land, I would add an entry in the changelog before to commit. |
|
@pizzamig Thanks for reviewing |
This is the correct fix to bsdpot#218, as discussed in bsdpot#233 (comment) Fixes bsdpot#218
This is the correct fix to bsdpot#218, as discussed in bsdpot#233 (comment) Fixes bsdpot#218
This is the correct fix to bsdpot#218, as discussed in bsdpot#233 (comment) Fixes bsdpot#218
This is the correct fix to bsdpot#218, as discussed in bsdpot#233 (comment) Fixes bsdpot#218
* Remove mkdir when ZFS create the directory This was introduced in b2fb5d7 and wasn't a good approach after all. Left in the mkdir function in common.sh and used it in places where mkdir was also necessary beforehand. * Add pot group and require it to access /opt/pot This is the correct fix to #218, as discussed in #233 (comment) Fixes #218
Many existing pot commands break in strange ways if the user doesn't have
root permissions. Changing the access mode of jails to root-readable only
(0700) makes this worse, as many pot commands read
jails/.../pot.conf.It is very necessary though for these reasons:
pot.confcan contain environment variables that contain secrets thatshouldn't be readable by unprivileged users on the host system.
exposed to unprivileged users on the host system. One prime example is
the content of
/secretswhen using the nomad pot driver - the nomadproject relies on
data_dirbeing protected with proper permissions anduses file mode 0666 for everything within the container, including the
content of the
secretsdir[0]. As these directories will be sharedwith the container using a nullfs mount, it's very important to protect
the container's root, which is accomplished with this change.
[0] See also: hashicorp/nomad#11900