neutron is not dropping radvd privileges
Bug #1777922 reported by
Antonio Ojea
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
High
|
Antonio Ojea |
Bug Description
neutron is not dropping the radvd privileges and causes that radvd run with full privileges, that can be considered as a serious risk.
In addition, some distributions like SUSE, by default runs radvd process as a non privileged user by default, causing radvd failure to daemonize because it can't write the pid in the corresponding neutron folder and break the IPv6 functionality.
Changed in neutron: | |
assignee: | nobody → Antonio Ojea (itsuugo) |
status: | New → In Progress |
description: | updated |
Changed in neutron: | |
importance: | Undecided → High |
tags: | added: ipv6 pike-backport-potential queens-backport-potential |
tags: | added: neutron-proactive-backport-potential |
To post a comment you must log in.
Reviewed: https:/ /review. openstack. org/576923 /git.openstack. org/cgit/ openstack/ neutron/ commit/ ?id=9f2b40f2cec c116906e77d6979 7c0c6877bd5b4d
Committed: https:/
Submitter: Zuul
Branch: master
commit 9f2b40f2cecc116 906e77d69797c0c 6877bd5b4d
Author: aojeagarcia <email address hidden>
Date: Wed Jun 20 18:53:36 2018 +0200
Dropping radvd process privileges
radvd needs to run as root, but has the capability to drop privileges on
linux hosts. Currently, radvd process is not using this feature and
this can be considered a serious risk.
In addition, some distributions like SUSE, radvd process runs as a non
privileged user by default, causing radvd failure to daemonize
because it can't write the pid in the corresponding neutron folder and
break the IPv6 functionality.
This patch allows radvd process to run with the same user used by
neutron. In order to allow this, it changes the radvd config file
permissions to 444 because radvd doesn't allow that this file can be
writeable by self/group. The readonly mode is not a problem updating the
file because of the way the neutron_lib replace_file function handles
the files operations.
Closes-Bug: #1777922
Change-Id: Ic5d976ba71a966 a537d1f31888f82 997a7ccb0de
Signed-off-by: aojeagarcia <email address hidden>