Project

General

Profile

Actions

Bug #2375

closed

The generated rules permissions are not correct

Added by Nicolas CHARLES almost 13 years ago. Updated over 12 years ago.

Status:
Released
Priority:
2
Assignee:
Matthieu CERDA
Category:
Web - Config management
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
Name check:
Fix check:
Regression:

Description

The generated rules have the 755 permissions, which is not great in term of security. They should have at most 750

Actions #1

Updated by Nicolas PERRON over 12 years ago

Is these permissions set by packaging ?

Actions #2

Updated by Jonathan CLARKE over 12 years ago

  • Priority changed from 1 (highest) to 2
  • Target version changed from 2.3.7 to 2.3.8

Nicolas PERRON wrote:

Is these permissions set by packaging ?

No, this ticket is about permissions on files generated by the webapp. The contents of /var/rudder/share and /var/rudder/cfengine-community/inputs, basically.

So long as the Rudder server is secure, no access to these files can happen. When they are copied to nodes, their permissions should be changed there, but there may be a gap in between when they are world readable. Demoting priority a bit, but we should still fix this soon.

Actions #3

Updated by François ARMAND over 12 years ago

Well, we don't have the possibility to control Unix File permission in Java (the platform independent thing).

The possibility are:

  • 1) use a different umask before starting the JVM, but that will impact ALL files created by applications under that JVM, what seems to be a bad idea ;
  • 2) run a chmod from the JVM after each creation, what is possible but not a too good idea (JVM calling Unix process is utterly slow)
  • 3) using JDK 7 to be able to use the NIO API (java.nio.file.attribute.PosixFileAttributes / Files.setPosixFilePermissions)
  • 4) have the permissions set by a CFEngine running on the server :)

And I believe I don't know anything else.

If 4) is not possible, I can implement 2), but it's likelly to be noticeable.

Actions #4

Updated by François ARMAND over 12 years ago

  • Status changed from New to Discussion
  • Assignee changed from François ARMAND to Nicolas CHARLES
Actions #5

Updated by Jonathan CLARKE over 12 years ago

  • Assignee changed from Nicolas CHARLES to François ARMAND

François ARMAND wrote:

Well, we don't have the possibility to control Unix File permission in Java (the platform independent thing).

The possibility are:

  • 1) use a different umask before starting the JVM, but that will impact ALL files created by applications under that JVM, what seems to be a bad idea ;
  • 2) run a chmod from the JVM after each creation, what is possible but not a too good idea (JVM calling Unix process is utterly slow)
  • 3) using JDK 7 to be able to use the NIO API (java.nio.file.attribute.PosixFileAttributes / Files.setPosixFilePermissions)
  • 4) have the permissions set by a CFEngine running on the server :)

And I believe I don't know anything else.

If 4) is not possible, I can implement 2), but it's likelly to be noticeable.

4) is possible, but I think it's already the case (not sure). However, this is not a good solution in a security problem: if we're worried about malicious users reading the files, we should not allow them to be in mode 755 at all, not even for 1 second. 2) is not sufficient for the same reason.

3) is not possible as the JRE 7 is not easily available (in distribution package repos) for all (or even most) of our supported server operating systems.

By elimination, it seems to me that 1) is the most sensible. If we assume that other malicious users may be on the Rudder server, and try and protect our data from them, we should certainly not create any files in 755. It is also easy to implement.

Can you see any reasons why this would have other negative impacts?

Actions #6

Updated by Jonathan CLARKE over 12 years ago

Any feedback on this?

Actions #7

Updated by François ARMAND over 12 years ago

OK, let's go for the UMASK, we will see if anything breaks - I didn't come to think to anything that should, but who knows :)

Actions #8

Updated by Jonathan CLARKE over 12 years ago

  • Status changed from Discussion to 2
  • Assignee changed from François ARMAND to Matthieu CERDA

Matthieu, can you please add a configuration in 2.4 to force Jetty's umask to 027 (in it's init script I presume). The simplest way to test will be to regenerate promises and check their permission - they should not have 640 perms.

Actions #9

Updated by Matthieu CERDA over 12 years ago

  • Status changed from 2 to Discussion
  • Assignee changed from Matthieu CERDA to Jonathan CLARKE

Well, I just tried now and Rudder did generate promises with these rights:

drwxr-xr-x 12 root root 4,0K juin 21 17:37 .
drwxr-xr-x 14 root root 4,0K avril 25 06:42 ..
drwx------  3 root root 4,0K juin 21 17:36 06da3556-5204-4bd7-b3b0-fa5e7bcfbbea

700 seems like a perfect mode to me :) I do not see any trouble here.

Same goes for /var/rudder/cfengine-community/inputs by the way:

-rw------- 1 root root 3,2K juin 21 17:37 /var/rudder/cfengine-community/inputs/failsafe.cf
-rw------- 1 root root  16K juin 21 17:37 /var/rudder/cfengine-community/inputs/promises.cf

Are we really sure there is a problem here ?

(This test was done on orchestrator-3, i'll try on orch-2 as well)

Actions #10

Updated by Matthieu CERDA over 12 years ago

  • Status changed from Discussion to In progress
  • Assignee changed from Jonathan CLARKE to Matthieu CERDA

Well, that is quite a surprise, indeed orch-3 seems to be the only orchestrator doing this. The init script might have been polluted by my own umask maybe.

Whatever, I'm on it then.

Actions #11

Updated by Matthieu CERDA over 12 years ago

  • Status changed from In progress to Discussion
  • Assignee changed from Matthieu CERDA to Jonathan CLARKE

Damn. Jetty seems to ignore the umask.

It seems we are going to need another approach, or tolerate the delay before a cf-agent run.

Actions #12

Updated by François ARMAND over 12 years ago

Well, the JVM respects umask, and jetty (and Rudder) only call JVM methods to create files, so that seems highly improbable.

Actually, I tested in orchestrateur-3, and umask seems to be correctly applied. Note that only new files have the new umask.

I saved the non-modified jetty init script in /var/rudder/modified-files/jetty.init, and for history, this is the diff:

--- /var/rudder/modified-files/jetty.init    2012-06-25 18:03:20.000000000 +0200
+++ /etc/init.d/jetty    2012-06-25 18:04:18.000000000 +0200
@@ -436,6 +436,8 @@
 ##################################################
 case "$ACTION" in
   start)
+    UMASK="0027" 
+    echo "Setting umask to ${UMASK}" 
     echo -n "Starting Jetty: " 

     if (( NO_START )); then 
@@ -451,7 +453,7 @@
       then
         CH_USER="-c$JETTY_USER" 
       fi
-      if start-stop-daemon -S -p"$JETTY_PID" $CH_USER -d"$JETTY_HOME" -b -m -a "$JAVA" -- "${RUN_ARGS[@]}" --daemon
+      if start-stop-daemon -k ${UMASK} -S -p"$JETTY_PID" $CH_USER -d"$JETTY_HOME" -b -m -a "$JAVA" -- "${RUN_ARGS[@]}" --daemon
       then
         sleep 1
         if running "$JETTY_PID" 
@@ -463,7 +465,7 @@
       fi

     else
-
+      umask ${UMASK}  
       if [ -f "$JETTY_PID" ]
       then
         if running $JETTY_PID

I hope I didn't make any mistakes with my tests.

Actions #13

Updated by Matthieu CERDA over 12 years ago

Well, I tried with a much more simple approach... Setting umask in my shell...

FAR's modifications seems totally valid, I approve it !

Actions #14

Updated by Matthieu CERDA over 12 years ago

  • Status changed from Discussion to Pending technical review
  • % Done changed from 0 to 100

Applied in changeset commit:9dcaf567df0751c659484b43948b45804408423f.

Actions #15

Updated by Matthieu CERDA over 12 years ago

  • Assignee changed from Jonathan CLARKE to Matthieu CERDA
Actions #16

Updated by Matthieu CERDA over 12 years ago

The patch has been applied to the rudder-jetty package.

Actions #17

Updated by Jonathan CLARKE over 12 years ago

  • Status changed from Pending technical review to Released

Looks good to me!

Actions

Also available in: Atom PDF