neutron

VPNaaS: ipsec.secrets file permissions prevents LibreSwan from starting

Bug #1493492 reported by Brent Eagles
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Undecided
Brent Eagles
neutron 7.0.0 "liberty"

Bug Description

The man pages for ipsec.secrets generally state that the file should be owned by root or super-user and access blocked to everyone else (chmod 0600). Recent changes have dealt with the file permissions issue. However, in neutron vpnaas the file ownership is that of the process and due to strict permission checks through "capabilities", this actually results in a failure to establish connections with LibreSwan since pluto runs as root. This seems to be LibreSwan specific.

Brent Eagles (beagles)
summary: - VPNaaS: ipsec.secrets file should be owned by root/super-user
+ VPNaaS: ipsec.secrets file permissions prevents LibreSwan from starting
Changed in neutron:
assignee: nobody → Brent Eagles (beagles)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-vpnaas (master)

Fix proposed to branch: master
Review: https://review.openstack.org/222192

Changed in neutron:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron-vpnaas (master)

Reviewed: https://review.openstack.org/222192
Committed: https://git.openstack.org/cgit/openstack/neutron-vpnaas/commit/?id=fed1a9b92778df4e65bbe03976573d2c82f94163
Submitter: Jenkins
Branch: master

commit fed1a9b92778df4e65bbe03976573d2c82f94163
Author: Brent Eagles <email address hidden>
Date: Thu Sep 10 10:45:47 2015 -0230

    Set owner to root for ipsec.secrets for LibreSwan

    LibreSwan runs as root and needs access to ipsec.secrets. Currently,
    ipsec.secrets is not owned by root and has 0600 permissions. This patch
    adds a rootwrap filter for the chown operation and sets the
    ipsec.secrets ownership to root.

    Change-Id: I414b5d9285d7a3ba9d3132bce9d7d5e3af43c37f
    Closes-Bug: #1493492

Changed in neutron:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-vpnaas (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/223530

Brent Eagles (beagles)
tags: added: vpnaas
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron-vpnaas (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/224133

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron-vpnaas (master)

Reviewed: https://review.openstack.org/224133
Committed: https://git.openstack.org/cgit/openstack/neutron-vpnaas/commit/?id=d04e5527d97433794a634510fd2f04ee6b579667
Submitter: Jenkins
Branch: master

commit d04e5527d97433794a634510fd2f04ee6b579667
Author: Brent Eagles <email address hidden>
Date: Wed Sep 16 11:38:19 2015 -0230

    Make chown rootwrap filter ipsec.secrets file specific

    The LibreSwan ipsec driver needs to be able to change the ownership of
    generated ipsec.secrets files to root. This modifies the existing
    rootwrap filter to allow chown operations only to be performed on files
    named ipsec.secrets that have the expected UID.

    Change-Id: I1305f9e78eb5fe718f3065e6a9e690293f1fca1d
    Related-bug: #1493492

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron-vpnaas (stable/kilo)

Related fix proposed to branch: stable/kilo
Review: https://review.openstack.org/226501

Thierry Carrez (ttx)
Changed in neutron:
milestone: none → liberty-rc1
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron-vpnaas (stable/kilo)

Reviewed: https://review.openstack.org/223530
Committed: https://git.openstack.org/cgit/openstack/neutron-vpnaas/commit/?id=45be2dcf82aa388116f8d58167591c8ca17a2fe5
Submitter: Jenkins
Branch: stable/kilo

commit 45be2dcf82aa388116f8d58167591c8ca17a2fe5
Author: Brent Eagles <email address hidden>
Date: Thu Sep 10 10:45:47 2015 -0230

    Set owner to root for ipsec.secrets for LibreSwan

    LibreSwan runs as root and needs access to ipsec.secrets. Currently,
    ipsec.secrets is not owned by root and has 0600 permissions. This patch
    adds a rootwrap filter for the chown operation and sets the
    ipsec.secrets ownership to root.

    Conflicts:
     neutron_vpnaas/tests/unit/services/vpn/device_drivers/test_ipsec.py

    Closes-Bug: #1493492
    (cherry picked from commit fed1a9b92778df4e65bbe03976573d2c82f94163)
    Change-Id: I414b5d9285d7a3ba9d3132bce9d7d5e3af43c37f

tags: added: in-stable-kilo
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron-vpnaas (stable/kilo)

Reviewed: https://review.openstack.org/226501
Committed: https://git.openstack.org/cgit/openstack/neutron-vpnaas/commit/?id=fbda90f02363586c69db1597eeb3ea868d52d0f6
Submitter: Jenkins
Branch: stable/kilo

commit fbda90f02363586c69db1597eeb3ea868d52d0f6
Author: Brent Eagles <email address hidden>
Date: Wed Sep 16 11:38:19 2015 -0230

    Make chown rootwrap filter ipsec.secrets file specific

    The LibreSwan ipsec driver needs to be able to change the ownership of
    generated ipsec.secrets files to root. This modifies the existing
    rootwrap filter to allow chown operations only to be performed on files
    named ipsec.secrets that have the expected UID.

    Change-Id: I1305f9e78eb5fe718f3065e6a9e690293f1fca1d
    Related-bug: #1493492
    (cherry picked from commit d04e5527d97433794a634510fd2f04ee6b579667)

Thierry Carrez (ttx)
Changed in neutron:
milestone: liberty-rc1 → 7.0.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.