Should user's shell be /bin/false?

Bug #890362 reported by Stuart McLaren on 2011-11-14
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
glance (Ubuntu)
Medium
Unassigned
nova (Ubuntu)
Medium
Unassigned

Bug Description

Not a big deal, but:

In swift the 'swift' user has '/bin/false' as its shell:

root@stratus11:~# finger swift
Login: swift Name:
Directory: /home/swift Shell: /bin/false

The 'glance' user is currently created with '/bin/bash':

root@stratus40:/etc/rsyslog.d# finger glance
Login: glance Name:
Directory: /var/lib/glance Shell: /bin/bash

Is '/bin/bash' required or should we switch to '/bin/false'?

Robert Clark (robert-clark) wrote :

I'm not aware of any reason why the Glance user should have a valid shell.

As this isn't an immediate problem that's going to get OpenStack hacked, I'd suggest dropping the security restrictions and pushing this out to the Glance team for verification and fix.

Thierry Carrez (ttx) wrote :

This is not a glance issue (glance does not create users). This is a packaging issue. OK for opening up the bug and pushing out to downstream packagers.

security vulnerability: yes → no
visibility: private → public
affects: glance → glance (Ubuntu)
Thierry Carrez (ttx) wrote :

The /bin/bash shell might be due to the following line in postinst:
  su -c 'glance-manage db_sync' glance

This affects nova as well.

Stuart McLaren (stuart-mclaren) wrote :

Note that current invocations (in the packaging scripts) such as:

su -c 'glance-manage db_sync' glance
exec su -c "glance-registry" glance

may not work in the absense of a real shell.

(Swift does a drop_priviledges to switch to the 'swift' user).

Stuart McLaren (stuart-mclaren) wrote :

I wonder should glance-api/glance-registry also do a 'drop_priviledges' in the same way as swift? This would, for example, allow the daemon to be run without the 'su -c', and allow running on priviledged ports (eg 443).

Changed in glance (Ubuntu):
importance: Undecided → Low
Thierry Carrez (ttx) wrote :

Stuart: actually you want code to run as underprivileged as possible. Here none of glance (or nova) runs as root, which is good. Only the postinst packaging script (and upstart script) do... So maybe keeping /bin/bash as shell is the best trade-off.

Stuart McLaren (stuart-mclaren) wrote :

> you want code to run as underprivileged as possible

Agreed.

What do you think about this:

We could set glance's shell to /bin/false but use commands such as the following to run the services:

su -s /bin/sh -c "glance-registry" glance

That way you can't log in as the glance user, but the services still don't require privileges.

Dave Walker (davewalker) on 2011-11-26
Changed in nova (Ubuntu):
milestone: none → precise-alpha-1
Changed in glance (Ubuntu):
milestone: none → precise-alpha-1
Changed in nova (Ubuntu):
importance: Undecided → Medium
Changed in glance (Ubuntu):
importance: Low → Medium
Changed in nova (Ubuntu):
status: New → Confirmed
Changed in glance (Ubuntu):
status: New → Confirmed
Dave Walker (davewalker) on 2011-12-01
Changed in glance (Ubuntu):
milestone: precise-alpha-1 → precise-alpha-2
Changed in nova (Ubuntu):
milestone: precise-alpha-1 → precise-alpha-2
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package glance - 2012.1~e2~20111209.1132-0ubuntu1

---------------
glance (2012.1~e2~20111209.1132-0ubuntu1) precise; urgency=low

  * debian/glance.postinst, debian/glance.glance-api.upstart,
    glance.glance-registry.upstart: Switch shell to /bin/false.
    (LP: #890362)
 -- Chuck Short <email address hidden> Fri, 09 Dec 2011 15:34:33 -0500

Changed in glance (Ubuntu):
status: Confirmed → Fix Released
summary: - Should glance user's shell be /bin/false?
+ Should nova user's shell be /bin/false?
Thierry Carrez (ttx) on 2012-01-04
summary: - Should nova user's shell be /bin/false?
+ Should user's shell be /bin/false?
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nova - 2012.1~e4~20120203.12454-0ubuntu1

---------------
nova (2012.1~e4~20120203.12454-0ubuntu1) precise; urgency=low

  [ Adam Gandelman ]
  [Chuck Short]
  * New upstream version.
  * debian/control: Replace m2crpto with python-crypto.
    (LP: #917851)
  * debian/*.upstart.in, debian/nova-common.postinst,
    debian/nova_sudoers: Change default shell to /bin/false.
    (LP: #890362)

  [Adam Gandleman]
  * debian/nova-common.{install, postinst}: Install policy.json on all
    Nova nodes (LP: #923817)
  * debian/rules: Remove installation of policy.json (moved to nova-common),
    point to the correct upstream git repository.
 -- Chuck Short <email address hidden> Fri, 03 Feb 2012 09:03:12 -0500

Changed in nova (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers