From 77f45dd387e878eb66d32fb435f9e91409eda14c Mon Sep 17 00:00:00 2001 From: Dmitry Tantsur Date: Fri, 14 Jan 2022 13:03:27 +0100 Subject: [PATCH] Tighten permissions on keystone directories Make keystone actually run as keystone user, not as nginx/www-data. Change-Id: I2cbc6685abe2d99c103fcf856f83c373517f007f --- .../roles/bifrost-keystone-install/tasks/bootstrap.yml | 10 +++++----- .../templates/uwsgi-keystone.ini.j2 | 1 + .../roles/bifrost-uwsgi-install/tasks/bootstrap.yml | 8 ++++++++ .../bifrost-uwsgi-install/templates/uwsgi@.service.j2 | 5 ++--- releasenotes/notes/keystone-perm-4ce28fff2edd677a.yaml | 7 +++++++ 5 files changed, 23 insertions(+), 8 deletions(-) create mode 100644 releasenotes/notes/keystone-perm-4ce28fff2edd677a.yaml diff --git a/playbooks/roles/bifrost-keystone-install/tasks/bootstrap.yml b/playbooks/roles/bifrost-keystone-install/tasks/bootstrap.yml index fe77e208f..736a11d43 100644 --- a/playbooks/roles/bifrost-keystone-install/tasks/bootstrap.yml +++ b/playbooks/roles/bifrost-keystone-install/tasks/bootstrap.yml @@ -109,8 +109,8 @@ name: "/etc/keystone" state: directory owner: "keystone" - group: "keystone" - mode: 0755 + group: "{{ nginx_user }}" + mode: 0750 - name: "Write keystone configuration from template" template: @@ -118,7 +118,7 @@ dest: "/etc/keystone/keystone.conf" owner: "keystone" group: "keystone" - mode: 0755 + mode: 0700 - name: "Apply/Update keystone DB Schema" command: keystone-manage db_sync @@ -127,13 +127,13 @@ - name: "Setup Fernet key repositories" command: > keystone-manage fernet_setup - --keystone-user="{{ nginx_user }}" --keystone-group="{{ nginx_user }}" + --keystone-user="keystone" --keystone-group="{{ nginx_user }}" environment: "{{ bifrost_venv_env }}" - name: "Setup Keystone Credentials" command: > keystone-manage credential_setup - --keystone-user="{{ nginx_user }}" --keystone-group="{{ nginx_user }}" + --keystone-user="keystone" --keystone-group="{{ nginx_user }}" environment: "{{ bifrost_venv_env }}" - name: "Setting external Keystone public URL" diff --git a/playbooks/roles/bifrost-keystone-install/templates/uwsgi-keystone.ini.j2 b/playbooks/roles/bifrost-keystone-install/templates/uwsgi-keystone.ini.j2 index fc08a5b64..fd24e8783 100644 --- a/playbooks/roles/bifrost-keystone-install/templates/uwsgi-keystone.ini.j2 +++ b/playbooks/roles/bifrost-keystone-install/templates/uwsgi-keystone.ini.j2 @@ -4,6 +4,7 @@ master = true processes = 2 threads = 2 no-orphans = true +# The socket will be read by nginx which is running as nginx_user chmod-socket = 660 virtualenv = {{ bifrost_venv_dir }} diff --git a/playbooks/roles/bifrost-uwsgi-install/tasks/bootstrap.yml b/playbooks/roles/bifrost-uwsgi-install/tasks/bootstrap.yml index 71d831c22..50faef868 100644 --- a/playbooks/roles/bifrost-uwsgi-install/tasks/bootstrap.yml +++ b/playbooks/roles/bifrost-uwsgi-install/tasks/bootstrap.yml @@ -18,6 +18,14 @@ register: uwsgi_install_prefix environment: "{{ bifrost_venv_env }}" +- name: "Ensure /run/uwsgi exists and has the right permissions" + file: + name: "/run/uwsgi" + state: directory + owner: "{{ nginx_user }}" + group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group. + mode: 0770 # NOTE(dtantsur): needs to be writable by group members + - name: "Ensure /etc/uwsgi exists" file: name: "/etc/uwsgi" diff --git a/playbooks/roles/bifrost-uwsgi-install/templates/uwsgi@.service.j2 b/playbooks/roles/bifrost-uwsgi-install/templates/uwsgi@.service.j2 index c49d22d1a..fc9aab58c 100644 --- a/playbooks/roles/bifrost-uwsgi-install/templates/uwsgi@.service.j2 +++ b/playbooks/roles/bifrost-uwsgi-install/templates/uwsgi@.service.j2 @@ -5,9 +5,8 @@ Description=%i uWSGI service ExecStart={{ uwsgi_install_prefix.stdout | default('/usr/bin') }}/uwsgi \ --ini /etc/uwsgi/apps-enabled/%i.ini SyslogIdentifier=%i -RuntimeDirectory=uwsgi -User={{ nginx_user }} -Group={{ nginx_user }} +# Has to be root, otherwise uWSGI won't be able to drop privileges +User=root Restart=on-failure KillSignal=SIGQUIT Type=notify diff --git a/releasenotes/notes/keystone-perm-4ce28fff2edd677a.yaml b/releasenotes/notes/keystone-perm-4ce28fff2edd677a.yaml new file mode 100644 index 000000000..5871fbfe6 --- /dev/null +++ b/releasenotes/notes/keystone-perm-4ce28fff2edd677a.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - | + The keystone configuration is no longer world-readable. + - | + The keystone process now runs as the ``keystone`` user, not as the nginx + user.