New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix for chroot not getting supplemental groups #1398
Conversation
I could "fix" logstash-web, but I see no reason why it should require the extra groups to run. |
Before the patch logstash could not read files owned by root:adm with permissions of 640, after the patch, logstach can read those files. Tested on ubuntu 12.04 |
Cool solution, im only afraid of the situation when there are no additional groups would the command fail then because its missing group names? Perhaps an idea to do something like: |
@@ -50,11 +50,15 @@ start() { | |||
JAVA_OPTS=${LS_JAVA_OPTS} | |||
export PATH HOME JAVA_OPTS LS_HEAP_SIZE LS_JAVA_OPTS LS_USE_GC_LOGGING | |||
|
|||
# chown doesn't grab the suplimental groups when setting the user:group - so we have to do it for it. | |||
# Boy, I hope we're root here. | |||
SGROUPS=$(grep "$LS_USER" /etc/group | grep -v "^$LS_GROUP" | cut -d: -f1 | tr "\\n" "," | sed 's/,$//'; echo '') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
getent initgroups $LS_USER
feels like the more correct approach here, do you agree?
Parsing /etc/group isn't best because it doesn't respect nsswitch.conf.
Thoughts?
New commit tests to see if there was anything returned. tested with my username - I get EXTRA_GROUPS, with another account it's blank as expected. |
I was not aware of the command - and you're right, pam could be a problem too. The command as provided gives group numbers, which would work - let me play some more. |
I don't remove the already set group anymore, but I can't see that hurting anything. |
@@ -50,11 +50,20 @@ start() { | |||
JAVA_OPTS=${LS_JAVA_OPTS} | |||
export PATH HOME JAVA_OPTS LS_HEAP_SIZE LS_JAVA_OPTS LS_USE_GC_LOGGING | |||
|
|||
# chown doesn't grab the suplimental groups when setting the user:group - so we have to do it for it. | |||
# Boy, I hope we're root here. | |||
SGROUPS=$(id -Gn "$LS_USER" | tr " " "," | sed 's/,$//'; echo '') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 using id
instead of grep /etc/group
seems like a good approach.
👍 from me :-) |
The updated pull request works great for me.
If the init script was generated by 'pleaserun', I wonder if there needs to be a bug-hancement filed on that project as well? |
@spuder all issues that we see here with with the init script we silently try to port over to pleaserun :-) |
Is there an expected release for this fix? I'd really like to see it make it into 1.4.2 since logstash is broken on all Ubuntu nodes at the moment. |
How is possible that logstash is broken in, at least, all ubuntu nodes and this fix is not already merged? |
Can one of the admins verify this patch? |
@victorgp I am sorry that you are negatively impacted by this. From your comment, I can tell you are excited to see this patch merged! While I believe this patch to work (testing by hand on one OS distro version), it would be greatly useful to us to know if it works for you. Further, this script is also used on CentOS/RHEL/SLES systems, can you help us test on those? I don't have access yet to all of those systems so it is difficult to do such testing in isolation. We are always working to improve our testing infrastructure as well to help cover these situations. Any testing you can do on this would be lovely. As a bonus, by testing this, you would apply a workaround for your own infrastructure until we provide a release with this patch (or something like it that is known to work on all supported platforms). I would hate to merge this patch only to have you or someone else find it in the next release having caused something else to break. This is why testing is so important to us. This is an open source project and community, and we are stronger if we work together! Any energy you can provide is most appreciated, though obviously not required :) |
@jordansissel sorry for the negativity, i didn't want to seem so negative. I will try to help you testing the patch in Debian and Ubuntu, i don't have access to other distros either. Let's see if i can find some free time one of these days to test it. |
The tests i've done tell me that this fix is not fully complete. It does work for old scripts located in /etc/init.d/ but it is still broken for upstart scripts in /etc/init/ I suppose the file logstash.upstart.ubuntu must be fixed, but it is no using chroot to run the program, why? i guess both should run in the same way... BTW anyone knows what is the version that introduced this bug? |
Hi, The upstart script didn't get the love yet it deserves but we will soon do that. |
I find it very interesting that other people are still able to use logstash despite this bug. It is an absolute blocker for me. I'm trying to setup the simplest possible logstash cluster as shown in the examples in the logstash book, but can't work around this without significant chmod hackery. Surely every one who tries to use logstash is running into this bug, no? |
As far as I can see upstart doesn't use chown -- and IIRC when I did these patches, I looked though all the startup scripts to see if they would have the same problem. |
Hey guys. Not sure if it's just me but the @coolacid modifications posted above still prevent me from reading anything root:adm with 640 permissions. Have modified both sysv and upstart but issue remains. Am I the only one? |
@heytchap Did you add logstash to the adm group? |
@coolacid I did. I also added the LS user to root and syslog. id logstash so Im not sure what the hangup is here. |
@lasse-aagren Indeed! My hope, for now, is that setfacl is simply a workaround until we can fix it. This assumes all process-launcher systems are capable of setting supplementary groups- Supervisord, for example, appears only to support setting user, not even group, nor supplementary groups. |
f86287d
to
a536eef
Compare
Hi, Quick and dirty fix (if you trust your system) would be also to comment out the chroot line.
|
+1 for the solution. I tested this pull request on CentOS 7 and it worked as expected. |
When is this getting merged? |
Curious when this is going to get merged? Like others, I can't imagine that most folks using logstash to read files aren't running into this and spending a lot of time either figuring it out or reading posts like the above... |
Variable |
I think we've had enough folks report that this patch works for them that I am ok to merge it. |
Merged sucessfully into master 1.5! |
linux chroot doesn't get the supplemental groups before dropping privileges. As such, we need to pull it from /etc/group and tweak it so that we can send them to chroot.
Original report came from @spuder on irc -- here is his GIST report:
https://gist.github.com/spuder/a1c3c7d10ce129507858
Spuder tested this and reported it working. Should work on other systems that use sysv init.