neutron

neutron is not dropping radvd privileges

Bug #1777922 reported by Antonio Ojea
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
Antonio Ojea

Bug Description

neutron is not dropping the radvd privileges and causes that radvd run with full privileges, that can be considered as a serious risk.
In addition, some distributions like SUSE, by default runs radvd process as a non privileged user by default, causing radvd failure to daemonize because it can't write the pid in the corresponding neutron folder and break the IPv6 functionality.

See original description
Antonio Ojea (aojea)
Changed in neutron:
assignee: nobody → Antonio Ojea (itsuugo)
status: New → In Progress
description: updated
Swaminathan Vasudevan (swaminathan-vasudevan)
Changed in neutron:
importance: Undecided → High
tags: added: ipv6 pike-backport-potential queens-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/576923
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=9f2b40f2cecc116906e77d69797c0c6877bd5b4d
Submitter: Zuul
Branch: master

commit 9f2b40f2cecc116906e77d69797c0c6877bd5b4d
Author: aojeagarcia <email address hidden>
Date: Wed Jun 20 18:53:36 2018 +0200

    Dropping radvd process privileges

    radvd needs to run as root, but has the capability to drop privileges on
    linux hosts. Currently, radvd process is not using this feature and
    this can be considered a serious risk.

    In addition, some distributions like SUSE, radvd process runs as a non
    privileged user by default, causing radvd failure to daemonize
    because it can't write the pid in the corresponding neutron folder and
    break the IPv6 functionality.

    This patch allows radvd process to run with the same user used by
    neutron. In order to allow this, it changes the radvd config file
    permissions to 444 because radvd doesn't allow that this file can be
    writeable by self/group. The readonly mode is not a problem updating the
    file because of the way the neutron_lib replace_file function handles
    the files operations.

    Closes-Bug: #1777922

    Change-Id: Ic5d976ba71a966a537d1f31888f82997a7ccb0de
    Signed-off-by: aojeagarcia <email address hidden>

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/578161

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/578167

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/pike)

Reviewed: https://review.openstack.org/578167
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=e6c63513de5f715437b03d8718b06f496a1e1646
Submitter: Zuul
Branch: stable/pike

commit e6c63513de5f715437b03d8718b06f496a1e1646
Author: aojeagarcia <email address hidden>
Date: Wed Jun 20 18:53:36 2018 +0200

    Dropping radvd process privileges

    radvd needs to run as root, but has the capability to drop privileges on
    linux hosts. Currently, radvd process is not using this feature and
    this can be considered a serious risk.

    In addition, some distributions like SUSE, radvd process runs as a non
    privileged user by default, causing radvd failure to daemonize
    because it can't write the pid in the corresponding neutron folder and
    break the IPv6 functionality.

    This patch allows radvd process to run with the same user used by
    neutron. In order to allow this, it changes the radvd config file
    permissions to 444 because radvd doesn't allow that this file can be
    writeable by self/group. The readonly mode is not a problem updating the
    file because of the way the neutron_lib replace_file function handles
    the files operations.

    Closes-Bug: #1777922

    Change-Id: Ic5d976ba71a966a537d1f31888f82997a7ccb0de
    Signed-off-by: aojeagarcia <email address hidden>
    (cherry picked from commit 9f2b40f2cecc116906e77d69797c0c6877bd5b4d)

tags: added: in-stable-pike
Bernard Cafarelli (bcafarel)
tags: added: neutron-proactive-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/queens)

Reviewed: https://review.openstack.org/578161
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=11e604a55058eaf368e64e4c72bf1cba88904517
Submitter: Zuul
Branch: stable/queens

commit 11e604a55058eaf368e64e4c72bf1cba88904517
Author: aojeagarcia <email address hidden>
Date: Wed Jun 20 18:53:36 2018 +0200

    Dropping radvd process privileges

    radvd needs to run as root, but has the capability to drop privileges on
    linux hosts. Currently, radvd process is not using this feature and
    this can be considered a serious risk.

    In addition, some distributions like SUSE, radvd process runs as a non
    privileged user by default, causing radvd failure to daemonize
    because it can't write the pid in the corresponding neutron folder and
    break the IPv6 functionality.

    This patch allows radvd process to run with the same user used by
    neutron. In order to allow this, it changes the radvd config file
    permissions to 444 because radvd doesn't allow that this file can be
    writeable by self/group. The readonly mode is not a problem updating the
    file because of the way the neutron_lib replace_file function handles
    the files operations.

    Closes-Bug: #1777922

    Change-Id: Ic5d976ba71a966a537d1f31888f82997a7ccb0de
    Signed-off-by: aojeagarcia <email address hidden>
    (cherry picked from commit 9f2b40f2cecc116906e77d69797c0c6877bd5b4d)

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 13.0.0.0b3

This issue was fixed in the openstack/neutron 13.0.0.0b3 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 12.0.4

This issue was fixed in the openstack/neutron 12.0.4 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 11.0.6

This issue was fixed in the openstack/neutron 11.0.6 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/625288

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (stable/ocata)

Change abandoned by Antonio Ojea (<email address hidden>) on branch: stable/ocata
Review: https://review.openstack.org/625288

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.