Privilege drop/escalation does not pick up secondary UNIX groups

Bug #1269473 reported by David Moreau Simard on 2014-01-15
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Object Storage (swift)

Bug Description

Related bug:

This issue was found when trying to configure the ceilometer middleware for swift.
When you add ceilometer to the pipeline, swift attempts to read /etc/ceilometer/ceilometer.conf.

- /etc/ceilometer is by default 750, ceilometer:ceilometer
- /etc/ceilometer/ceilometer.conf is by default 640, ceilometer:ceilometer

A secure way of granting swift privileges to read into the folder and ceilometer.conf is to add swift to the ceilometer group.
If you do that, however, swift-proxy is not granted access to the file:
[pid 19619] stat("/etc/ceilometer/ceilometer.conf", 0x7fffa4540430) = -1 EACCES (Permission denied)

If you change the swift user's primary group to ceilometer, or grant read permission bits to "Everyone", it is able to access the file.

It was found by Hans Petrie that drop_privileges from common/ does not seem to pick up secondary groups:

I am sure you can agree that while this bug has occured in the context of ceilometer, this could potentially affect other projects or use cases as well.

I am convinced this should be fixed so that I am not forced to consider unsecure permissions.

David Moreau Simard (dmsimard) wrote :

@clayg good call, this is the same thing that Hans Petrie suggested in the referenced ceilometer bug.

I made some tests on my end and this does seem like a proper solution. I submitted

Submitter: Jenkins
Branch: master

commit c656e1894918d774fa841214f2e00af8a4a66b44
Author: David Moreau Simard <email address hidden>
Date: Mon Jan 20 13:30:58 2014 -0500

    Add secondary groups to user during privilege escalation

    setgid provides the primary group, setgroups sets the secondary
    groups. Prior to this patch, we would do a setgroups with an empty
    list, effectively wiping secondary groups. We now verify which
    secondary groups the user is member of and escalate the privileges

    Change-Id: I33a10edd448b3ac5aa758a8d1d70e582cf421c7d
    Closes-Bug: 1269473

Changed in swift:
status: New → Fix Committed
Thierry Carrez (ttx) on 2014-02-25
Changed in swift:
milestone: none → 1.13.0
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers