Attempts to chown env files to inappropriate user
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
juju-core |
Fix Released
|
High
|
Tim Penhey |
Bug Description
I am getting a failure attempting to bootstrap, because juju tries to chown to in inappropriate user.
I am logged in as "ubuntu", but running as "jenkins" via "sudo su jenkins". juju is creating a new jenv file, attempting to chown it to "ubuntu".
I understand this was because the local provider requires sudo, but juju should not create root-owned jenv files. However, juju should not change files to the real userid, because that could disclose credentials to another user. Had juju succeeded with the "chown", i.e. if I had run as "sudo -s", then the jenkins credentials would have been disclosed to the ubuntu user.
Here are some possible solutions:
1. Ignore chown failures: if you're not running as root, but you can read environments.yaml and write *.jenv, then you're probably running as the user that owns the file anyway.
2. Use the uid/gid of environments.yaml for *.jenv. That way the contents of environments.yaml can never be disclosed to the wrong user (AIUI, environments.yaml may go away, but there will be credentials files if it does.)
Related branches
- Juju Engineering: Pending requested
-
Diff: 54 lines (+0/-23)1 file modifiedenvirons/configstore/disk.go (+0/-23)
tags: | added: bootstrap |
Changed in juju-core: | |
milestone: | none → 2.0 |
information type: | Public → Public Security |
$ strace juju bootstrap -e test-release-hp --constraints mem=2G var/lib/ jenkins/ .juju/environme nts/test- release- hp.jenv" , O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) /var/lib/ jenkins/ .juju/environme nts", 0700) = -1 EEXIST (File exists) var/lib/ jenkins/ .juju/environme nts/test- release- hp.jenv" , O_WRONLY| O_CREAT| O_EXCL| O_CLOEXEC, 0600) = 4 /var/lib/ jenkins/ .juju/environme nts/test- release- hp.jenv" , 1000, 1000) = -1 EPERM (Operation not permitted) CLOCK_REALTIME, {1382987820, 79234281}) = 0 CLOCK_REALTIME, {1382987820, 79489134}) = 0 jenkins/ .juju/environme nts/test- release- hp.jenv: operation not permitted
...
open("/
mkdir("
open("/
close(4) = 0
chown("
clock_gettime(
clock_gettime(
write(2, "ERROR cannot create new info for"..., 152ERROR cannot create new info for environment "test-release-hp": chown /var/lib/
) = 152
exit_group(1) = ?