strawman - make the agents not run as root
David Cheney
david.cheney at canonical.com
Tue Dec 17 03:49:38 UTC 2013
Hi Tim,
I agree this makes good security sense, but I fear it is too late to
address this.
In short, charms expect to run as root. We cannot change that, and in fact
we have had bugs which have been closed as WontFix when charm authors
change users during hook execution. That behavior is pretty much set in
stone.
So, what remains ? Running the agents as a 'juju' user should attractive,
but that user would have to have permission to do all its operations
preparing the charm directory as uid 0 (or face an uphill battle of file
system permissions). The hooks themselves would need to be executed via
sudo, which may (must?) imply the juju user is configured not to request a
password. That does give us an entry in the audit log for every hook
invocation, but we already have that in the unit agent log.
I hope there is something I have overlooked, but I'm reasonably certain
this is not something that can be added in a backwards compatible way.
Cheers
Dave
On Tue, Dec 17, 2013 at 2:39 PM, Tim Penhey <tim.penhey at canonical.com>wrote:
> Hi folks,
>
> We have been telling people for ever not to run things as root. Most
> packages that run systems things create users for that purpose.
>
> Every time I think of our machine and unit agents running as root, I end
> up feeling a little guilty. Why is this fine for us?
>
> However, we can't just make a change and expect everything to work.
>
> Firstly there are the charms, they expect "apt-get install" to work, and
> if we change our user, it won't.
>
> A suggestion would be to make an option for environment to use non-root
> users for the agents, and default it to false. This would allow us to
> create environments where we do have non-root users and at least make
> sure all our stuff works.
>
> Then we could move to a QA mode where all charms get tested to make sure
> that for any privileged action, it uses 'sudo'. This gives us
> privileged action logging.
>
> What are your thoughts?
>
> Tim
>
> --
> Juju-dev mailing list
> Juju-dev at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/juju-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/juju-dev/attachments/20131217/8cd3442b/attachment.html>
More information about the Juju-dev
mailing list