Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix file ownership for tighter security [JIRA: TOOLS-232] [JIRA: RIAK-2381] #196

Merged
merged 17 commits into from
Mar 18, 2016
Merged

fix file ownership for tighter security [JIRA: TOOLS-232] [JIRA: RIAK-2381] #196

merged 17 commits into from
Mar 18, 2016

Conversation

JeetKunDoug
Copy link
Contributor

Need to audit file ownership across packages in general - follow conventions of other packages and install as few things as possible as riak:riak (since most systems install executables/libraries as root:root or root:wheel)

Specific issues found:

init.d script in RPM should be owned by root:root not riak:riak - can create a potential security issue.
As a workaround, you should ensure that your init.d scripts are owned by root:root not riak:riak.

on FreeBSD systems using older pkg_add (vs. pkgng) /usr/local/sbin/riak should be owned by root:wheel rather than {{package_install_user}}:{{package_install_group}}

Many installers install most/all of the riak binaries/libraries as riak:riak - change to root:wheel, root:bin, or root:root where appropriate

  • For each OS, build package, install, check permissions on all files (especially executables). Only riak-writable files should be data/log directories, and the home directory of the riak user, as the .erlang.cookie file is written wherever the riak user's home directory is. There were several packages that had set it to be {{platform_base_dir}} rather than {{platform_data_dir}}, and {{platform_base_dir}} really should not be writable to the service user. Make sure that any configuration files are readable by riak - in a few cases, this means group riak with appropriate (640) permissions - in others, the default is to install 644 so the files are world-readable. Not changing this for now.
  • run riak start and make sure it starts cleanly.
  • run riak-admin ping
  • run riak-admin test to make sure you can actually write/read data
  • run riak-admin attach-direct

Todo list for testing:

  • FreeBSD 9
  • FreeBSD 10
  • One RPM-based system (Centos 7)
  • One deb-based system (Ubuntu 14)
  • SmartOS (tested latest)
  • Solaris (tested 11)

@Basho-JIRA Basho-JIRA changed the title fix file ownership on init.d script Review submitted PR [JIRA: TOOLS-231] Feb 18, 2016
@JeetKunDoug JeetKunDoug changed the title Review submitted PR [JIRA: TOOLS-231] fix file ownership on init.d script [JIRA: TOOLS-231] Feb 18, 2016
@JeetKunDoug
Copy link
Contributor Author

create jira issue

@Basho-JIRA Basho-JIRA changed the title fix file ownership on init.d script [JIRA: TOOLS-231] fix file ownership on init.d script [JIRA: TOOLS-231] [JIRA: TOOLS-232] Feb 18, 2016
@kuenishi kuenishi mentioned this pull request Feb 18, 2016
Closed
@jonmeredith
Copy link

Are you planning on fixing perms on other platforms too?

@JeetKunDoug
Copy link
Contributor Author

Yes, other affected platforms will be fixed - just working out some details on which ones need it internally.

@kesslerm kesslerm mentioned this pull request Mar 3, 2016
Closed
@JeetKunDoug JeetKunDoug changed the title fix file ownership on init.d script [JIRA: TOOLS-231] [JIRA: TOOLS-232] fix file ownership on init.d script [JIRA: TOOLS-232] [JIRA: RIAK-2381] Mar 4, 2016
@JeetKunDoug
Copy link
Contributor Author

For Centos 7:

Reviewed ownership for /usr/sbin files - also were owned by riak. 12fee7a fixes that.

sudo rpm -i riak-ee-2.0.6.6e387249-1.el7.centos.x86_64.rpm
[sudo] password for doug:
usermod: no changes
[doug@centos7 packages]$ ls -al /etc/rc.d/init.d/riak
-rwxr-xr-x 1 root root 3302 Mar  4 22:56 /etc/rc.d/init.d/riak
[doug@centos7 packages]$ ls -al /usr/sbin/*riak*
-rwxr-xr-x 1 root root 12948 Mar  4 22:06 /usr/sbin/riak
-rwxr-xr-x 1 root root 34420 Mar  4 22:49 /usr/sbin/riak-admin
-rwxr-xr-x 1 root root 32756 Mar  4 22:49 /usr/sbin/riak-debug
-rwxr-xr-x 1 root root 18925 Mar  4 22:49 /usr/sbin/riak-repl
[doug@centos7 packages]$ ls -al /usr/sbin/search-cmd
-rwxr-xr-x 1 root root 722 Mar  4 22:49 /usr/sbin/search-cmd
[doug@centos7 packages]$ ls -al /usr/sbin | grep riak
-rwxr-xr-x  1 root root  12948 Mar  4 22:06 riak
-rwxr-xr-x  1 root root  34420 Mar  4 22:49 riak-admin
-rwxr-xr-x  1 root root  32756 Mar  4 22:49 riak-debug
-rwxr-xr-x  1 root root  18925 Mar  4 22:49 riak-repl

For FreeBSD:

[vagrant@vagrant-freebsd-92-i386 ~]$ sudo pkg_add riak-ee-2.0.6-cfd05263-FreeBSD-amd64.tbz

Thank you for installing riak-ee.

riak-ee has been installed in /usr/local owned by user:group riak:riak

The primary directories are:

    {platform_bin_dir, "/usr/local/sbin"}
    {platform_data_dir, "/var/db/riak"}
    {platform_etc_dir, "/usr/local/etc/riak"}
    {platform_lib_dir, "/usr/local/lib/riak/lib"}
    {platform_log_dir, "/var/log/riak"}

These can be configured and changed in the /usr/local/etc/riak/app.config.

Add /usr/local/sbin to your path to run riak riak-admin search-cmd riak-repl riak-debug directly.

Man pages are available for riak(1) riak-admin(1) search-cmd(1) riak-repl(1) riak-debug(1)

[vagrant@vagrant-freebsd-92-i386 ~]$ cd /usr/local/sbin
[vagrant@vagrant-freebsd-92-i386 /usr/local/sbin]$ ls -al *riak*
-rwxr-xr-x  1 root  wheel  12952 Mar  4 21:10 riak
-rwxr-xr-x  1 root  wheel  34424 Mar  4 21:10 riak-admin
-rwxr-xr-x  1 root  wheel  32780 Mar  4 21:10 riak-debug
-rwxr-xr-x  1 root  wheel  18929 Mar  4 21:10 riak-repl
[vagrant@vagrant-freebsd-92-i386 /usr/local/sbin]$

@JeetKunDoug JeetKunDoug force-pushed the dr/fix_permissions_on_init_d_script branch from e70f7b8 to 981c495 Compare March 7, 2016 20:44
Doug Rohrer added 3 commits March 8, 2016 20:37
Fix install message, and set home directory to {{platform_data_dir}} …
dd06ed5 
…instead of {{platform_base_dir}} so it's writable for the riak user
Multiple additional security tightenings:
aaf3e15 
- Changes to make sure we install as many things as possible as root:root 
or root:wheel, rather than package_install_user:package_install_group.
- Updates to make it more clear when using variables that they will be writable by the package_install_user.
- Always use `package_data_dir` as home directory for user, as package_base_dir should not be writable or owned by package user and more. Erlang cookie file `.erlang.cookie` is created in the home directory, so it must be writable.
New SmartOS version (15.4.0) attempt
4a1aaca
@JeetKunDoug JeetKunDoug force-pushed the dr/fix_permissions_on_init_d_script branch from 63afdf2 to 4a1aaca Compare March 10, 2016 00:58
@JeetKunDoug JeetKunDoug force-pushed the dr/fix_permissions_on_init_d_script branch from 8d4ae5a to dc8a0ea Compare March 10, 2016 14:22
@JeetKunDoug JeetKunDoug changed the title fix file ownership on init.d script [JIRA: TOOLS-232] [JIRA: RIAK-2381] fix file ownership for tighter security [JIRA: TOOLS-232] [JIRA: RIAK-2381] Mar 12, 2016
@nickelization
Ensure proper perms on all SMF files for SmartOS
385bbe6 
I'm not entirely clear on why this is necessary, because it seems like
the @owner/@group directives that the Makefile generates should take
care of it for us. But this should hopefully fix the issue that Doug and
I saw where the SMF files were getting installed as the user that built
the package instead of root.
nickelization
nickelization reviewed Mar 18, 2016
View reviewed changes
priv/templates/smartos/Makefile
@@ -127,29 +133,29 @@ packing_list_files: $(BUILD_STAGE_DIR) templates
echo "@comment Packing /opt/local/etc files" >> +CONTENTS && \
echo "@cwd /opt/local" >> +CONTENTS && \
echo "@owner root" >> +CONTENTS && \
echo "@group {{package_install_user}}" >> +CONTENTS && \
echo "@group riak" >> +CONTENTS && \
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was this change intentional? I think it should stay as package_install_user since node_package isn't supposed to be riak-specific, right?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, clearly not intentional - thanks for catching it. You mind pushing a fix?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, I'll get right on it. Heh, and sorry for my denseness, I guess you're right it clearly wasn't intentional :).

@nickelization
Copy link
Contributor

👍 b92e7ba

nickelization added a commit that referenced this pull request Mar 18, 2016
@nickelization
Merge pull request #196 from basho/dr/fix_permissions_on_init_d_script
2df0003 
fix file ownership for tighter security [JIRA: TOOLS-232] [JIRA: RIAK-2381]
@nickelization nickelization merged commit 2df0003 into develop Mar 18, 2016
@JeetKunDoug JeetKunDoug deleted the dr/fix_permissions_on_init_d_script branch March 18, 2016 14:17
This was referenced Mar 21, 2016
Merged
Merged
@JeetKunDoug JeetKunDoug mentioned this pull request Apr 15, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
JIRA: PR Review JIRA: To Do
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@JeetKunDoug @jonmeredith @nickelization @Basho-JIRA @gcymbalski