-
Notifications
You must be signed in to change notification settings - Fork 149
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ownership and permission of keytab file #1982
Comments
Taken at face value, it really is not as secure because we have no idea who is in the daemon group (and please don't ask us to verify that it is a singleton). Since if root created the file it can just as easily assign the ownership to daemon. The message, I would argue, is correct for the reasons I stated above. What worries me more is that the home directory could not be created and that prevents getting any core files should he serve crash. |
Is keeping the keytab file secure the responsibility of xrootd or the administrator? I think an application should take some reasonable precautions and/or print helpful warnings, but it is ultimately the responsibility of and should be under control of the administrator. Likewise for ensuring the group is a singleton. xrootd can not absolutely ensure the confidentiality of the keytab file. I could always accidentally paste it on github or something :)
That is not possible in this case, because the secret is managed by the kubelet and the file is mounted into all containers of a pod, but each container in a pod may have a different identity context which would lead to UID conflicts. Besides, this is not running on a traditional server where there are other users. It is running in a pod where there is only one parent process running with a completely arbitrary UID and GID. It's kind of like the 'O' field in 'UGO' is irrelevant because it is an isolated environment with no other users (or you can think of all the processes allowed to run in the container as being the "group" of the container), the U field has to be root as explained above, so the G field is used for ownership of the file. Some applications (such as Postgres and arcproxy) which had assumptions about the security context of a traditional server have relaxed those requirements a bit to allow admins more control in how they deploy services (for example on Kubernetes) and to adapt to being more container-native. If the pod crashes it will be restarted automatically and any transient files will be lost. The pod could be instrumented to retain core files though, e.g. in /mgm. But either way the concept of a home directory doesn't really apply in this context. Thanks for your consideration! |
Unfortunately, it's not that simple. It is the responsibility of the
application to verify that the admin has kept the file secure. It is the
responsibility of the admin to secure the file. This is exactly what
xrootd does and is in keeping with many other systems that require that
files be secured.
…On Wed, 29 Mar 2023, R. P. Taylor wrote:
Is keeping the keytab file secure the responsibility of xrootd or the administrator? I think an application should take some reasonable precautions and/or print helpful warnings, but it is ultimately the responsibility of and should be under control of the administrator. Likewise for ensuring the group is a singleton. xrootd can not absolutely ensure the confidentiality of the keytab file. I could always accidentally paste it on github or something :)
> if root created the file it can just as easily assign the ownership to daemon.
That is [not possible](kubernetes/kubernetes#81089 (comment))](url) in this case, because the secret is managed by the kubelet and the file is mounted into all containers of a pod, but each container in a pod may have a different identity context which would lead to UID conflicts. Besides, this is not running on a traditional server where there are other users. It is running in a pod where there is only one parent process running with a completely arbitrary UID and GID. It's kind of like the 'O' field in 'UGO' is irrelevant because it is an isolated environment with no other users (or you can think of the processes allowed to run in the container as being the "group" of the container), the U field has to be root as explained above, so the G field is used for ownership of the file.
U -> -
G -> U
O -> G
Some applications (such as Postgres and arcproxy) which had assumptions about the security context of a traditional server have relaxed those requirements a bit to allow admins more control in how they deploy services (for example on Kubernetes) and to adapt to being more container-native.
If the pod crashes it will be restarted automatically and any transient files will be lost. The pod could be instrumented to retain core files though, e.g. in /mgm. But either way the concept of a home directory doesn't really apply in this context.
Thanks for your consideration!
--
Reply to this email directly or view it on GitHub:
#1982 (comment)
You are receiving this because you commented.
Message ID: ***@***.***>
|
The application is limited to only seeing the owner and mode of the file on the local filesystem, which is a small subset of all that encompasses keeping the keytab secure. In our environment the mode 0440 root:daemon is correct and secure. |
This is a security level disagreement. Best practices generally disallow people from stepping into a security minefield even if they want to and his is what xroot does here. So, we will keep the current behaviour. |
Hello,
Regarding the xrootd keytab file, it seems that xrootd server running as the daemon user fails to start if the file ownership is different from
Would you consider allowing this?
The error comes from here: https://github.com/xrootd/xrootd/blob/master/src/XrdSecsss/XrdSecsssKT.cc#L439
The error message is not entirely accurate because the proposed file mode/ownership is equally secure, because root can implicitly read all files regardless of ownership. xrootd should not care whether it can read the keytab file via user ownership or group ownership, it should only matter that it can open the file read-only and that it is not publicly readable.
This will help in environments where credentials are provided for the xrootd server but owned and managed by the root user (for example in kubernetes where the keytab is injected as a secret into the pod by the kubelet).
Thanks!
The text was updated successfully, but these errors were encountered: