Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Drop privileges to user pelican if requested #1850

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Drop privileges to user pelican if requested #1850

wants to merge 3 commits into from

Conversation

bbockelm
Copy link
Collaborator

This drafts out an approach to having the pelican server process run unprivileged after initial startup. Components:

  1. This is enabled/disabled by configuration parameters, Server.DropPrivileges and currently defaults to false.
  2. The configuration now tracks a new user object, the "Pelican" user (defaulting to pelican). This represents the target daemon user the process will be run as once the permissions are dropped.
  3. The beginnings of marking the various configuration & runtime directories/files of the service as belonging to the pelican user.
  4. Infrastructure to signal to the xrootd process to either send itself a signal or make a copy of the file descriptor.
  5. Image build infrastructure for the new plugin. To make the final PR smaller, this item could be pulled out into a separate PR.
  6. Finally, actually dropping the privileges to the pelican user after launch is almost complete.

TODO items:

  • Open a separate issue to handle the RPM-side of the changes. We've now grown a new dependency on an XRootD plugin and need to get the OSG packaging in a similar condition.
  • Actually test the signaling between pelican and the new xrootd plugin. I'm simply showing this as the draft of the approach so it can be handed off to @h2zh. I expect this is going to need bugfixes.
  • More thorough investigation of file ownership.
  • Write a unit test that, when run as root, will fork off a separate process and run a "federation in a box" with drop privileges enabled. Check the functionality of host certificate updates, shutdown signaling, and the ownership of directories is as expected.

@bbockelm
Add new config infrastructure for dropping to pelican user
258d77b 
This introduces new parameters for dropping to a lower-privileged
`pelican` user when running as root and the first round of directory
ownership changes.

The goal is that, when run as root and drop-priv is enabled, all
Pelican directories and config files are owned by the pelican user.
Otherwise, they'll continue to be owned as root.
@bbockelm bbockelm added critical High priority for next release cache Issue relating to the cache component origin Issue relating to the origin component director Issue relating to the director component registry Issue relating to the registry component security labels Dec 23, 2024
@bbockelm bbockelm added this to the v7.13.0 milestone Dec 23, 2024
@bbockelm
When dropping privileges, enable and use the xrdhttp-pelican plugin
f673f37 
The plugin provides a means for an unprivileged process (namely, `pelican`)
to request xrootd send itself a signal via a Unix socket and to copy
the host cert via a sent file descriptor.

This refactors the launcher kill logic so the plugin can be used instead
of the traditional signal-based approach.
@bbockelm
If needed, drop privileges to pelican after startup of server
df74ae1
@bbockelm bbockelm mentioned this pull request Dec 23, 2024
Open
matyasselmeci
matyasselmeci reviewed Dec 26, 2024
View reviewed changes
images/Dockerfile
@@ -57,7 +57,7 @@ RUN yum -y update \
####
FROM dependency-build AS xrootd-plugin-builder
# Install necessary build dependencies
RUN yum install -y --enablerepo=osg-testing xrootd-devel xrootd-server-devel xrootd-client-devel curl-devel openssl-devel git cmake3 gcc-c++ sqlite-devel
RUN yum install -y --enablerepo=osg-testing xrootd-devel xrootd-server-devel xrootd-client-devel xrootd-private-devel curl-devel openssl-devel git cmake3 gcc-c++ sqlite-devel
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not a big fan of depending on a private API. If we absolutely need that class, we should get the developers to make it public, otherwise this is going to break when we least expect it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matyasselmeci matyasselmeci matyasselmeci left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@h2zh h2zh

Labels
cache Issue relating to the cache component critical High priority for next release director Issue relating to the director component origin Issue relating to the origin component registry Issue relating to the registry component security
Projects
None yet
Milestone
v7.13.0
Development

Successfully merging this pull request may close these issues.
3 participants
@bbockelm @matyasselmeci @h2zh