OpenStack Object Storage (swift)

Privilege drop/escalation does not pick up secondary UNIX groups

Bug #1269473 reported by David Moreau Simard on 2014-01-15

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Object Storage (swift)	Fix Released	Undecided	Unassigned	OpenStack Object Storage (swift) 1.13.0

Bug Description

Related bug: https://bugs.launchpad.net/ceilometer/+bug/1262264

This issue was found when trying to configure the ceilometer middleware for swift.
When you add ceilometer to the pipeline, swift attempts to read /etc/ceilometer/ceilometer.conf.

- /etc/ceilometer is by default 750, ceilometer:ceilometer
- /etc/ceilometer/ceilometer.conf is by default 640, ceilometer:ceilometer

A secure way of granting swift privileges to read into the folder and ceilometer.conf is to add swift to the ceilometer group.
If you do that, however, swift-proxy is not granted access to the file:
[pid 19619] stat("/etc/ceilometer/ceilometer.conf", 0x7fffa4540430) = -1 EACCES (Permission denied)

If you change the swift user's primary group to ceilometer, or grant read permission bits to "Everyone", it is able to access the file.

It was found by Hans Petrie that drop_privileges from common/utils.py does not seem to pick up secondary groups:
https://bugs.launchpad.net/ceilometer/+bug/1262264/comments/9
https://bugs.launchpad.net/ceilometer/+bug/1262264/comments/11

I am sure you can agree that while this bug has occured in the context of ceilometer, this could potentially affect other projects or use cases as well.

I am convinced this should be fixed so that I am not forced to consider unsecure permissions.

Revision history for this message

clayg (clay-gerrard) wrote on 2014-01-17:

I fixed that once!

https://groups.google.com/forum/#!topic/paste-users/KqZRujMcJHE

Revision history for this message

David Moreau Simard (dmsimard) wrote on 2014-01-20:

@clayg good call, this is the same thing that Hans Petrie suggested in the referenced ceilometer bug.

I made some tests on my end and this does seem like a proper solution. I submitted https://review.openstack.org/#/c/67905/.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-01-28: Fix merged to swift (master)

Reviewed: https://review.openstack.org/67905
Committed: https://git.openstack.org/cgit/openstack/swift/commit/?id=c656e1894918d774fa841214f2e00af8a4a66b44
Submitter: Jenkins
Branch: master

commit c656e1894918d774fa841214f2e00af8a4a66b44
Author: David Moreau Simard <email address hidden>
Date: Mon Jan 20 13:30:58 2014 -0500

Add secondary groups to user during privilege escalation

    setgid provides the primary group, setgroups sets the secondary
    groups. Prior to this patch, we would do a setgroups with an empty
    list, effectively wiping secondary groups. We now verify which
    secondary groups the user is member of and escalate the privileges
    accordingly.

Change-Id: I33a10edd448b3ac5aa758a8d1d70e582cf421c7d
Closes-Bug: 1269473

Changed in swift:
status:	New → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-01-31: Fix proposed to swift (feature/ec)

Fix proposed to branch: feature/ec
Review: https://review.openstack.org/70442

Thierry Carrez (ttx) on 2014-02-25

Changed in swift:
milestone:	none → 1.13.0
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.