New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[question] consul exec production security policy #532

Closed
wuub opened this Issue Dec 11, 2014 · 5 comments

Comments

Projects
None yet
4 participants
@wuub
Contributor

wuub commented Dec 11, 2014

We would like to leave consul exec enabled on most, if not all, of our nodes but:
a) limit the number of people (and systems!) authorized to use it
b) secure our cluster from being completely open, when a single node is compromised

KV ACL was our first attempt, but since nodes must be allowed to write an ack during exec, and since consul exec accepts kv --prefix, it doesn't seem to help much with point b)

Are some kind of exec ACLs on the roadmap?
Maybe exec RPC can piggyback on top of verify_incoming and a whitelisted set of authorized key fingerprints?

@armon

This comment has been minimized.

Show comment
Hide comment
@armon

armon Dec 11, 2014

Member

Yeah, still working on the best way to handle this due to the distributed nature of exec, enforcement is made rather tricky. I do think we can fit it into the existing ACL system, just a matter of thinking it through more!

Member

armon commented Dec 11, 2014

Yeah, still working on the best way to handle this due to the distributed nature of exec, enforcement is made rather tricky. I do think we can fit it into the existing ACL system, just a matter of thinking it through more!

@jhmartin

This comment has been minimized.

Show comment
Hide comment
@jhmartin

jhmartin Feb 2, 2015

Contributor

As an interim step perhaps the security could be delegated? Sort of like the SSH 'ForceCommand' such that the requested command would be passed to some other command? In this way I could validate that the command is either on a known whitelist, or verify that the command is signed in some manner by an authorized user.

Otherwise it is a very ugly security story.

Contributor

jhmartin commented Feb 2, 2015

As an interim step perhaps the security could be delegated? Sort of like the SSH 'ForceCommand' such that the requested command would be passed to some other command? In this way I could validate that the command is either on a known whitelist, or verify that the command is signed in some manner by an authorized user.

Otherwise it is a very ugly security story.

@armon

This comment has been minimized.

Show comment
Hide comment
@armon

armon Feb 2, 2015

Member

@jhmartin The interim solution is to disable exec support until the ACL framework covers it

Member

armon commented Feb 2, 2015

@jhmartin The interim solution is to disable exec support until the ACL framework covers it

@armon

This comment has been minimized.

Show comment
Hide comment
@armon

armon May 7, 2015

Member

Question is answered, closing

Member

armon commented May 7, 2015

Question is answered, closing

@armon armon closed this May 7, 2015

@kaelumania

This comment has been minimized.

Show comment
Hide comment
@kaelumania

kaelumania May 27, 2015

@armon I would also like to see a feature, where we can decide which commands are whitelisted, e.g. block rm -rf /. The proposed interim step by @jhmartin sounds reasonable good to me. That way we can decide, if the command gets really executed or is being blocked by the node. A similar way would be to add a configuration option to the agent, which describes which command should be used to execute the command given by the exec request, e.g. { "exec_engine" : "/usr/local/bin/secure_bash" } and maybe the exec carries only the parameters to this command.

kaelumania commented May 27, 2015

@armon I would also like to see a feature, where we can decide which commands are whitelisted, e.g. block rm -rf /. The proposed interim step by @jhmartin sounds reasonable good to me. That way we can decide, if the command gets really executed or is being blocked by the node. A similar way would be to add a configuration option to the agent, which describes which command should be used to execute the command given by the exec request, e.g. { "exec_engine" : "/usr/local/bin/secure_bash" } and maybe the exec carries only the parameters to this command.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment