From c10ad0d9eb72362ba9bf7f695ef117396113e1bb Mon Sep 17 00:00:00 2001 From: Corey Bryant Date: Mon, 15 May 2017 14:50:07 +0000 Subject: [PATCH] Drop privileges when running commands Drop privileges to a regular user when running commands defined by this snap. In most cases this is done prior to executing the command. NGINX is an exception in that the command will be run as root, allowing the the master process to bind to ports. The nginx.conf template is configured to then drop privileges for worker processes, which do all work, such as handling network connections, r/w to disk, and communication with servers. Change-Id: If9bf24fc65412b90b8b1890944a469de23888c32 --- snap/snap-openstack.yaml | 22 +++++++++++++++++----- snap/templates/keystone-snap.conf.j2 | 2 +- snap/templates/nginx.conf.j2 | 2 +- snapcraft.yaml | 2 +- 4 files changed, 20 insertions(+), 8 deletions(-) diff --git a/snap/snap-openstack.yaml b/snap/snap-openstack.yaml index a8db48c..1944b35 100644 --- a/snap/snap-openstack.yaml +++ b/snap/snap-openstack.yaml @@ -1,25 +1,33 @@ setup: + users: + snap-keystone: [snap-keystone] + default-owner: "root:snap-keystone" dirs: + - "{snap_common}/etc" - "{snap_common}/etc/keystone" - "{snap_common}/etc/keystone/conf.d" - - "{snap_common}/etc/keystone/fernet-keys" - "{snap_common}/etc/nginx" - "{snap_common}/etc/uwsgi" + - "{snap_common}/fernet-keys" - "{snap_common}/lib" - "{snap_common}/lock" - "{snap_common}/log" - "{snap_common}/run" templates: - keystone-snap.conf.j2: "{snap_common}/etc/keystone/conf.d/keystone-snap.conf" admin.ini.j2: "{snap_common}/etc/uwsgi/admin.ini" - public.ini.j2: "{snap_common}/etc/uwsgi/public.ini" keystone-nginx.conf.j2: "{snap_common}/etc/nginx/sites-enabled/keystone.conf" - # NOTE(coreycb): drop root from nginx.conf template when support lands for - # dropping permissions to regular user. + keystone-snap.conf.j2: "{snap_common}/etc/keystone/conf.d/keystone-snap.conf" nginx.conf.j2: "{snap_common}/etc/nginx/nginx.conf" + public.ini.j2: "{snap_common}/etc/uwsgi/public.ini" copyfiles: "{snap}/etc/keystone": "{snap_common}/etc/keystone" "{snap}/usr/conf": "{snap_common}/etc/nginx" + rchown: + "{snap_common}/fernet-keys": "snap-keystone:snap-keystone" + "{snap_common}/lib": "snap-keystone:snap-keystone" + "{snap_common}/lock": "snap-keystone:snap-keystone" + "{snap_common}/log": "snap-keystone:snap-keystone" + "{snap_common}/run": "snap-keystone:snap-keystone" entry_points: keystone-manage: binary: "{snap}/bin/keystone-manage" @@ -27,10 +35,14 @@ entry_points: - "{snap_common}/etc/keystone/keystone.conf" config-dirs: - "{snap_common}/etc/keystone/conf.d" + run-as: + snap-keystone: [snap-keystone] keystone-uwsgi: type: uwsgi uwsgi-dir: "{snap_common}/etc/uwsgi" log-file: "{snap_common}/log/uwsgi.log" + run-as: + snap-keystone: [snap-keystone] keystone-nginx: type: nginx config-file: "{snap_common}/etc/nginx/nginx.conf" diff --git a/snap/templates/keystone-snap.conf.j2 b/snap/templates/keystone-snap.conf.j2 index 96b211e..fca2577 100644 --- a/snap/templates/keystone-snap.conf.j2 +++ b/snap/templates/keystone-snap.conf.j2 @@ -8,4 +8,4 @@ lock_path = {{ snap_common }}/lock [fernet_tokens] # Fernet key repository -key_repository = {{ snap_common }}/etc/fernet-keys +key_repository = {{ snap_common }}/fernet-keys diff --git a/snap/templates/nginx.conf.j2 b/snap/templates/nginx.conf.j2 index c02138e..653ff03 100644 --- a/snap/templates/nginx.conf.j2 +++ b/snap/templates/nginx.conf.j2 @@ -1,4 +1,4 @@ -user root; +user snap-keystone snap-keystone; worker_processes auto; pid {{ snap_common }}/run/nginx.pid; diff --git a/snapcraft.yaml b/snapcraft.yaml index 1a7e636..b0aa2fb 100644 --- a/snapcraft.yaml +++ b/snapcraft.yaml @@ -73,7 +73,7 @@ parts: - etc/keystone/*.json - etc/keystone/*.templates stage: [$etc] - snap: [$etc] + prime: [$etc] nginx: source: http://www.nginx.org/download/nginx-1.13.0.tar.gz plugin: autotools