quantum-ns-metadata-proxy runs as root

This is a known operation state in released code. I'm not sure it makes sense to keep this private as there is not a vulnerability to exploit. Are you ok making this a regular bug to make the proxy run with reduced perms?

I'm ok with that, go ahead.

Classifying as a welcome strengthening opportunity

It seems that the command is classified as ip-netns filter which will run under root permission. That's why the metadata-proxy command filter doesn't take effect.

Actually it's not a 'wrong' behavior.

neutron-rootwrap: (root > root) Executing ['/sbin/ip', 'netns', 'exec', 'qrouter-445757d8-ade8-4c2f-9b44-029942e9fd26', 'neutron-ns-metadata-proxy', '--pid_file=/var/lib/neutron/external/pids/445757d8-ade8-4c2f-9b44-029942e9fd26.pid', '--metadata_proxy_socket=/var/lib/neutron/metadata_proxy', '--router_id=445757d8-ade8-4c2f-9b44-029942e9fd26', '--state_path=/var/lib/neutron', '--metadata_port=9697', '--log-file=neutron-ns-metadata-proxy-445757d8-ade8-4c2f-9b44-029942e9fd26.log', '--log-dir=/var/log/neutron'] (filter match = ip_exec)

Setting as confirmed until a patch is proposed.

Fix proposed to branch: master
Review: https://review.openstack.org/136840

Reviewed: https://review.openstack.org/136840
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=b78c5e54abd10fc71a46788110f9f36e6496414e
Submitter: Jenkins
Branch: master

commit b78c5e54abd10fc71a46788110f9f36e6496414e
Author: Cedric Brandily <email address hidden>
Date: Mon Nov 24 15:53:04 2014 +0000

    Do not run neutron-ns-metadata-proxy as root on L3 agent

    Currently neutron-ns-metadata-proxy runs with root permissions when
    namespaces are enabled on the l3 agent because root permissions are
    required to "enter" in the namespace. But neutron-ns-metadata-proxy
    permissions should be reduced as much as possible because it is
    reachable from vms.

    This change allows to change neutron-ns-metadata-proxy permissions
    after its startup through the 2 new options metadata_proxy_user and
    metadata_proxy_group which allow to define user/group running metadata
    proxy after its initialization. Their default values are
    neutron-l3-agent effective user and group.

    Permissions drop is done after metadata proxy daemon writes its
    pid in its pidfile (it could be disallowed after permissions drop).

    Using nobody as metadata_proxy_user/group (more secure) is currently
    not supported because:

    * nobody has not the permission to connect the metadata socket,
    * nobody has not the permission to log to file because neutron uses
      WatchedFileHandler (which requires read/write permissions after
      permissions drop).
    This limitation will be addressed in a daughter change.

    DocImpact
    Partial-Bug: #1187107
    Change-Id: I55c8c3fb14ed91ae8570f98f19c2cdbaf89d42fc

Fix proposed to branch: master
Review: https://review.openstack.org/147436

Fix proposed to branch: master
Review: https://review.openstack.org/147437

Reviewed: https://review.openstack.org/147436
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=e171271f127cb48a89df78ec98ba732caf2da980
Submitter: Jenkins
Branch: master

commit e171271f127cb48a89df78ec98ba732caf2da980
Author: Cedric Brandily <email address hidden>
Date: Wed Jan 7 22:21:10 2015 +0000

    Move shared metadata driver related config options

    This change moves metadata driver related config options to metadata
    driver module to prepare the use of metadata driver method in the dhcp
    agent (daughter change). The metadata_port option is not moved as the
    dhcp agent uses a non-configurable port (80).

    Change-Id: Ie45fdad86f33d35fca3096c4c52fae941a279e76
    Partial-Bug: #1187107

Reviewed: https://review.openstack.org/147437
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=ac6cf685176c3a985a71174b9e8f0161068e38e0
Submitter: Jenkins
Branch: master

commit ac6cf685176c3a985a71174b9e8f0161068e38e0
Author: Cedric Brandily <email address hidden>
Date: Wed Jan 7 23:12:20 2015 +0000

    Do not run neutron-ns-metadata-proxy as root on dhcp agent

    Currently neutron-ns-metadata-proxy runs with root permissions when
    namespaces are enabled on the dhcp agent because root permissions are
    required to "enter" in the namespace. But neutron-ns-metadata-proxy
    permissions should be reduced as much as possible because it is
    reachable from vms.

    This change allows to change neutron-ns-metadata-proxy permissions
    after its startup through the 2 new options metadata_proxy_user and
    metadata_proxy_group which allow to define user/group running metadata
    proxy after its initialization. Their default values are
    neutron-dhcp-agent effective user and group.

    This change delegates metadata proxy management to metadata driver
    methods in order to reuse the work already done on l3 agent side.

    Permissions drop is done after metadata proxy daemon writes its
    pid in its pidfile (it could be disallowed after permissions drop) and
    after metadata proxy daemon binds its privileged server port (80).

    Using nobody as metadata_proxy_user/group (more secure) is currently
    not supported because:

    * nobody has not the permission to connect the metadata socket,
    * nobody has not the permission to log to file because neutron uses
      WatchedFileHandler (which requires read/write permissions after
      permissions drop).
    This limitation will be addressed in a daughter change.

    DocImpact
    Closes-Bug: #1187107
    Change-Id: I53e97254d560e608101010f67bd2dcdec81fb6a2