Privilege drop/escalation does not pick up secondary UNIX groups
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Object Storage (swift) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Related bug: https:/
This issue was found when trying to configure the ceilometer middleware for swift.
When you add ceilometer to the pipeline, swift attempts to read /etc/ceilometer
- /etc/ceilometer is by default 750, ceilometer:
- /etc/ceilometer
A secure way of granting swift privileges to read into the folder and ceilometer.conf is to add swift to the ceilometer group.
If you do that, however, swift-proxy is not granted access to the file:
[pid 19619] stat("/
If you change the swift user's primary group to ceilometer, or grant read permission bits to "Everyone", it is able to access the file.
It was found by Hans Petrie that drop_privileges from common/utils.py does not seem to pick up secondary groups:
https:/
https:/
I am sure you can agree that while this bug has occured in the context of ceilometer, this could potentially affect other projects or use cases as well.
I am convinced this should be fixed so that I am not forced to consider unsecure permissions.
Changed in swift: | |
milestone: | none → 1.13.0 |
status: | Fix Committed → Fix Released |
I fixed that once!
https:/ /groups. google. com/forum/ #!topic/ paste-users/ KqZRujMcJHE