You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Alan M. Carroll (JIRA)" <ji...@apache.org> on 2010/05/06 18:56:49 UTC
[jira] Created: (TS-338) Use POSIX capabilities instead of user ID
switching.
Use POSIX capabilities instead of user ID switching.
----------------------------------------------------
Key: TS-338
URL: https://issues.apache.org/jira/browse/TS-338
Project: Traffic Server
Issue Type: Improvement
Components: Security
Affects Versions: 2.0.0
Reporter: Alan M. Carroll
Priority: Minor
Instead of switching the user id around (via seteuid() and the like), use POSIX capabilities to retain the appropriate privileges as a non-root user.
This will have to be done as an optional feature because while modern Linux kernels are compliant, older kernels may not be and the compliance status of other operating systems (e.g. BSD) is unclear.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TS-338) Use POSIX capabilities instead of user
ID switching.
Posted by "Alan M. Carroll (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-338?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12869647#action_12869647 ]
Alan M. Carroll commented on TS-338:
------------------------------------
The OEM stuff disappeared with 2.1.0 but the root privilege flag is still there so that didn't really help :-).
After a discussion I am going with the "enable once at process init" style. The effective user ID gets changed to a non-privileged user (as determined by the configuration file) once as well and then isn't changed back.
> Use POSIX capabilities instead of user ID switching.
> ----------------------------------------------------
>
> Key: TS-338
> URL: https://issues.apache.org/jira/browse/TS-338
> Project: Traffic Server
> Issue Type: Improvement
> Components: Security
> Affects Versions: 2.0.0
> Reporter: Alan M. Carroll
> Priority: Minor
>
> Instead of switching the user id around (via seteuid() and the like), use POSIX capabilities to retain the appropriate privileges as a non-root user.
> This will have to be done as an optional feature because while modern Linux kernels are compliant, older kernels may not be and the compliance status of other operating systems (e.g. BSD) is unclear.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (TS-338) Use POSIX capabilities instead of user ID
switching.
Posted by "Mladen Turk (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-338?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Mladen Turk closed TS-338.
--------------------------
Resolution: Fixed
Committed to the trunk. Thanks Alan!
> Use POSIX capabilities instead of user ID switching.
> ----------------------------------------------------
>
> Key: TS-338
> URL: https://issues.apache.org/jira/browse/TS-338
> Project: Traffic Server
> Issue Type: Improvement
> Components: Security
> Affects Versions: 2.0.0
> Reporter: Alan M. Carroll
> Assignee: Mladen Turk
> Priority: Minor
> Fix For: 2.1.1
>
> Attachments: ts-338-trunk-patch.txt
>
>
> Instead of switching the user id around (via seteuid() and the like), use POSIX capabilities to retain the appropriate privileges as a non-root user.
> This will have to be done as an optional feature because while modern Linux kernels are compliant, older kernels may not be and the compliance status of other operating systems (e.g. BSD) is unclear.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (TS-338) Use POSIX capabilities instead of user ID
switching.
Posted by "Leif Hedstrom (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-338?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Leif Hedstrom updated TS-338:
-----------------------------
Assignee: Mladen Turk
Fix Version/s: 2.1.1
> Use POSIX capabilities instead of user ID switching.
> ----------------------------------------------------
>
> Key: TS-338
> URL: https://issues.apache.org/jira/browse/TS-338
> Project: Traffic Server
> Issue Type: Improvement
> Components: Security
> Affects Versions: 2.0.0
> Reporter: Alan M. Carroll
> Assignee: Mladen Turk
> Priority: Minor
> Fix For: 2.1.1
>
> Attachments: ts-338-trunk-patch.txt
>
>
> Instead of switching the user id around (via seteuid() and the like), use POSIX capabilities to retain the appropriate privileges as a non-root user.
> This will have to be done as an optional feature because while modern Linux kernels are compliant, older kernels may not be and the compliance status of other operating systems (e.g. BSD) is unclear.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (TS-338) Use POSIX capabilities instead of user ID
switching.
Posted by "Alan M. Carroll (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-338?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alan M. Carroll updated TS-338:
-------------------------------
Comment: was deleted
(was: Patch generated by 'svn diff' from the 2.1.0 codebase.)
> Use POSIX capabilities instead of user ID switching.
> ----------------------------------------------------
>
> Key: TS-338
> URL: https://issues.apache.org/jira/browse/TS-338
> Project: Traffic Server
> Issue Type: Improvement
> Components: Security
> Affects Versions: 2.0.0
> Reporter: Alan M. Carroll
> Priority: Minor
> Attachments: ts-338-trunk-patch.txt
>
>
> Instead of switching the user id around (via seteuid() and the like), use POSIX capabilities to retain the appropriate privileges as a non-root user.
> This will have to be done as an optional feature because while modern Linux kernels are compliant, older kernels may not be and the compliance status of other operating systems (e.g. BSD) is unclear.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (TS-338) Use POSIX capabilities instead of user ID
switching.
Posted by "Alan M. Carroll (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-338?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alan M. Carroll updated TS-338:
-------------------------------
Attachment: ts-338-2-1-0-patch.txt
Patch generated by 'svn diff' from the 2.1.0 codebase.
> Use POSIX capabilities instead of user ID switching.
> ----------------------------------------------------
>
> Key: TS-338
> URL: https://issues.apache.org/jira/browse/TS-338
> Project: Traffic Server
> Issue Type: Improvement
> Components: Security
> Affects Versions: 2.0.0
> Reporter: Alan M. Carroll
> Priority: Minor
> Attachments: ts-338-2-1-0-patch.txt
>
>
> Instead of switching the user id around (via seteuid() and the like), use POSIX capabilities to retain the appropriate privileges as a non-root user.
> This will have to be done as an optional feature because while modern Linux kernels are compliant, older kernels may not be and the compliance status of other operating systems (e.g. BSD) is unclear.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TS-338) Use POSIX capabilities instead of user
ID switching.
Posted by "Leif Hedstrom (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-338?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12864839#action_12864839 ]
Leif Hedstrom commented on TS-338:
----------------------------------
I think George had started work on this, but can't remember which bug it was on. As you pointed out, it wasn't particularly cross-platform / safe, so definitely need to support both methods.
> Use POSIX capabilities instead of user ID switching.
> ----------------------------------------------------
>
> Key: TS-338
> URL: https://issues.apache.org/jira/browse/TS-338
> Project: Traffic Server
> Issue Type: Improvement
> Components: Security
> Affects Versions: 2.0.0
> Reporter: Alan M. Carroll
> Priority: Minor
>
> Instead of switching the user id around (via seteuid() and the like), use POSIX capabilities to retain the appropriate privileges as a non-root user.
> This will have to be done as an optional feature because while modern Linux kernels are compliant, older kernels may not be and the compliance status of other operating systems (e.g. BSD) is unclear.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TS-338) Use POSIX capabilities instead of user
ID switching.
Posted by "Alan M. Carroll (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-338?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12864850#action_12864850 ]
Alan M. Carroll commented on TS-338:
------------------------------------
I tweaked configure.ac to handle making it optional.
By default, If the capabilities library is found, then USE_POSIX_CAPABILITIES is defined to be 1 otherwise it is either not defined or zero and all the code is conditional on that define. The appropriate executables are set to link with @LIBCAP@ with is "-lcap" if the library was found, or "" (empty string) if not. Capability use can be actively inhibited with the --disable-posix-capabilities option to configure. So, it should just work on any OS.
> Use POSIX capabilities instead of user ID switching.
> ----------------------------------------------------
>
> Key: TS-338
> URL: https://issues.apache.org/jira/browse/TS-338
> Project: Traffic Server
> Issue Type: Improvement
> Components: Security
> Affects Versions: 2.0.0
> Reporter: Alan M. Carroll
> Priority: Minor
>
> Instead of switching the user id around (via seteuid() and the like), use POSIX capabilities to retain the appropriate privileges as a non-root user.
> This will have to be done as an optional feature because while modern Linux kernels are compliant, older kernels may not be and the compliance status of other operating systems (e.g. BSD) is unclear.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TS-338) Use POSIX capabilities instead of user
ID switching.
Posted by "Alan M. Carroll (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-338?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12864836#action_12864836 ]
Alan M. Carroll commented on TS-338:
------------------------------------
Implemented and ready for testing, except for an issue with the configuration files.
There is a flag in the Rollback class to indicate that root access is needed. AFAICT this is used only for the "net.config.xml" configuration file, which is only used under the OEM flag. I am not sure what privilege is needed for this, or why, which makes it difficult to map to the appropriate capability. I am not sure the OEM feature is even supported, in which case the flag should just be removed.
Currently I have just turned off the calls to restoreRootPriv / removeRootPriv. I am not sure of the security model desired -- is it OK to just keep the capability at all times, or should it be enabled only during the actual file operation? The answer is obvious for generic super user state, but not so clear for just for this file operation privilege, especially since the process remains with a real user id of 0 and only changes the effective user id.
I need to look at whether this fix could enable running without ever being root. AFAICT that's only need for the ability to bind to service ports and possibly this file access.
> Use POSIX capabilities instead of user ID switching.
> ----------------------------------------------------
>
> Key: TS-338
> URL: https://issues.apache.org/jira/browse/TS-338
> Project: Traffic Server
> Issue Type: Improvement
> Components: Security
> Affects Versions: 2.0.0
> Reporter: Alan M. Carroll
> Priority: Minor
>
> Instead of switching the user id around (via seteuid() and the like), use POSIX capabilities to retain the appropriate privileges as a non-root user.
> This will have to be done as an optional feature because while modern Linux kernels are compliant, older kernels may not be and the compliance status of other operating systems (e.g. BSD) is unclear.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (TS-338) Use POSIX capabilities instead of user ID
switching.
Posted by "Alan M. Carroll (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-338?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alan M. Carroll updated TS-338:
-------------------------------
Attachment: ts-338-trunk-patch.txt
Updated for patching to trunk:948063
> Use POSIX capabilities instead of user ID switching.
> ----------------------------------------------------
>
> Key: TS-338
> URL: https://issues.apache.org/jira/browse/TS-338
> Project: Traffic Server
> Issue Type: Improvement
> Components: Security
> Affects Versions: 2.0.0
> Reporter: Alan M. Carroll
> Priority: Minor
> Attachments: ts-338-trunk-patch.txt
>
>
> Instead of switching the user id around (via seteuid() and the like), use POSIX capabilities to retain the appropriate privileges as a non-root user.
> This will have to be done as an optional feature because while modern Linux kernels are compliant, older kernels may not be and the compliance status of other operating systems (e.g. BSD) is unclear.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (TS-338) Use POSIX capabilities instead of user ID
switching.
Posted by "Alan M. Carroll (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-338?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alan M. Carroll updated TS-338:
-------------------------------
Attachment: (was: ts-338-2-1-0-patch.txt)
> Use POSIX capabilities instead of user ID switching.
> ----------------------------------------------------
>
> Key: TS-338
> URL: https://issues.apache.org/jira/browse/TS-338
> Project: Traffic Server
> Issue Type: Improvement
> Components: Security
> Affects Versions: 2.0.0
> Reporter: Alan M. Carroll
> Priority: Minor
>
> Instead of switching the user id around (via seteuid() and the like), use POSIX capabilities to retain the appropriate privileges as a non-root user.
> This will have to be done as an optional feature because while modern Linux kernels are compliant, older kernels may not be and the compliance status of other operating systems (e.g. BSD) is unclear.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.