-
Notifications
You must be signed in to change notification settings - Fork 898
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Run the application as a non root user #20394
Comments
moved to OP |
Technically only RHV requires this, not all smartstate. In addition to reading raw block devices it has to mount nfs shares (also requires root) |
We use file permissions for our DRb unix sockets in |
If we are to support RHV SmartState, it may be cleaner to extract the mounting and reading into a separate service/worker with the appropriate privileges and expose an API for the caller to use. Not saying this is easy, but probably the right direction to isolate interfaces to mount. |
I like adding a socket to communicate with the disk. I'm hoping that we can come up with a solution that makes these parts of the product more container friendly. |
I am moving this comment lower to not distract from the TODO list: To work with containers, we have already defined the privileges needed to run our application. So the job ahead is mostly porting the Kubernetes/OpenShift privileges to SELinux. The MiqServer process running on the VMware appliance also acts as a distributed orchestrator, so this requires adding systemd privileges similar to the ones defined in the Kubernetes privilege profile. Since the webapp is the closest to the end users, it is most vulnerable to attacks and needs to be the most restricted. All privileges required by the webapp are also required by the other roles. It is possible that as we discover more, we may be able to merge some of the roles. Our app has 4 roles with different required privileges:
|
Changed the title slightly so I can search the word "root" on the projects board 😆 |
We're so close to closing this out, propose that we move "Stop Logging to Files" out of this issue, we already resolved the "workers have to run as root in order to write to log files" with having these owned by We already have a separate issue for #21004 we can add that to the roadmap targeting Oparin |
@agrare I can move that out. What about the 2 items under |
@chessbyte I'm not sure about those, we did have to revert ManageIQ/manageiq-appliance#341 since it was causing us to not be able to connect to the database. Maybe @kbrock can correct me but that section looks further than closer to being done |
Split off SSL Database as non-Root to #21722 |
A highly effective approach to mitigating security attacks by users via the API or UI is to run the application as an unprivileged user. This means that even if a vulnerability is exploited it is not possible to get root access to the machine.
Phases:
apache
start automatically from ui and api workers process Declare httpd a requirement dependency of UI and API workers #21325systemd
Declare memcached as a dependency for evmserverd manageiq-appliance#321database.yml
,secrets.yml
,v2_key
lock down all configuration files with passwords #21295root.manageiq
create manageiq user and fix directories manageiq-rpm_build#157manageiq
#21323The text was updated successfully, but these errors were encountered: