From 2daf4331a648cc2df6982c1a6ec47a705e038255 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rados=C5=82aw=20Piliszek?= Date: Mon, 29 Aug 2022 18:13:34 +0000 Subject: [PATCH] Fix writable rootwrap/privsep config Fixes a hypothetical security issue related to privilege escalation via rootwrap/privsep. A potential vulnerable service could previously allow writes to its rootwrap/privsep config and thus allow for more commands to be run with root privileges via rootwrap/privsep. For a succesful attack, this would also require the service to allow to run arbitrary commands via rootwrap/privsep. Thus far, no such vulnerabilities have been reported and thus this fix is simply strengthening the container images against such an issue in the future. Change-Id: I92c81c77e6a16570a108cde8031f7977930fb02a Closes-Bug: #1874298 --- docker/aodh/aodh-base/Dockerfile.j2 | 1 - docker/barbican/barbican-base/Dockerfile.j2 | 1 - docker/blazar/blazar-base/Dockerfile.j2 | 1 - docker/ceilometer/ceilometer-base/Dockerfile.j2 | 1 - docker/cinder/cinder-api/Dockerfile.j2 | 1 - docker/cinder/cinder-base/Dockerfile.j2 | 1 - docker/cloudkitty/cloudkitty-base/Dockerfile.j2 | 1 - docker/collectd/Dockerfile.j2 | 1 - docker/designate/designate-base/Dockerfile.j2 | 1 - .../elasticsearch-curator/Dockerfile.j2 | 1 - docker/fluentd/Dockerfile.j2 | 2 +- docker/freezer/freezer-base/Dockerfile.j2 | 1 - docker/glance/glance-base/Dockerfile.j2 | 1 - docker/gnocchi/gnocchi-base/Dockerfile.j2 | 1 - docker/heat/heat-base/Dockerfile.j2 | 1 - docker/horizon/Dockerfile.j2 | 1 - docker/ironic-inspector/Dockerfile.j2 | 2 +- docker/ironic/ironic-base/Dockerfile.j2 | 4 +--- docker/keystone/keystone-base/Dockerfile.j2 | 6 ++---- docker/kuryr/kuryr-base/Dockerfile.j2 | 1 - docker/magnum/magnum-base/Dockerfile.j2 | 1 - docker/manila/manila-api/Dockerfile.j2 | 1 - docker/manila/manila-base/Dockerfile.j2 | 2 +- docker/masakari/masakari-base/Dockerfile.j2 | 1 - docker/masakari/masakari-monitors/Dockerfile.j2 | 1 - docker/mistral/mistral-base/Dockerfile.j2 | 1 - docker/monasca/monasca-base/Dockerfile.j2 | 3 +-- docker/murano/murano-base/Dockerfile.j2 | 1 - docker/neutron/neutron-base/Dockerfile.j2 | 1 - docker/nova/nova-base/Dockerfile.j2 | 1 - docker/octavia/octavia-base/Dockerfile.j2 | 1 - docker/placement/placement-base/Dockerfile.j2 | 1 - docker/sahara/sahara-base/Dockerfile.j2 | 1 - docker/senlin/senlin-base/Dockerfile.j2 | 1 - docker/solum/solum-base/Dockerfile.j2 | 1 - docker/swift/swift-base/Dockerfile.j2 | 2 +- docker/tacker/tacker-base/Dockerfile.j2 | 1 - docker/trove/trove-base/Dockerfile.j2 | 1 - docker/venus/venus-base/Dockerfile.j2 | 1 - docker/vitrage/vitrage-base/Dockerfile.j2 | 1 - docker/watcher/watcher-base/Dockerfile.j2 | 1 - docker/zun/zun-base/Dockerfile.j2 | 1 - releasenotes/notes/bug-1874298-35b7ccffe327f7e4.yaml | 12 ++++++++++++ 43 files changed, 20 insertions(+), 48 deletions(-) create mode 100644 releasenotes/notes/bug-1874298-35b7ccffe327f7e4.yaml diff --git a/docker/aodh/aodh-base/Dockerfile.j2 b/docker/aodh/aodh-base/Dockerfile.j2 index 142b8bcf90..f223ab3479 100644 --- a/docker/aodh/aodh-base/Dockerfile.j2 +++ b/docker/aodh/aodh-base/Dockerfile.j2 @@ -28,7 +28,6 @@ RUN ln -s aodh-base-source/* aodh \ && {{ macros.install_pip(aodh_base_pip_packages | customizable("pip_packages")) }} \ && mkdir -p /etc/aodh /var/www/cgi-bin/aodh \ && cp /aodh/aodh/api/app.wsgi /var/www/cgi-bin/aodh \ - && chown -R aodh: /etc/aodh /var/www/cgi-bin/aodh \ && chmod 750 /etc/sudoers.d \ && chmod 640 /etc/sudoers.d/kolla_aodh_sudoers \ && chmod 755 /var/www/cgi-bin/aodh \ diff --git a/docker/barbican/barbican-base/Dockerfile.j2 b/docker/barbican/barbican-base/Dockerfile.j2 index f92fe9807a..5e46a9777b 100644 --- a/docker/barbican/barbican-base/Dockerfile.j2 +++ b/docker/barbican/barbican-base/Dockerfile.j2 @@ -33,7 +33,6 @@ RUN ln -s barbican-base-source/* barbican \ && {{ macros.install_pip(barbican_base_pip_packages | customizable("pip_packages")) }} \ && mkdir -p /etc/barbican \ && cp -r /barbican/etc/barbican/* /etc/barbican/ \ - && chown -R barbican: /etc/barbican \ && chmod 750 /etc/sudoers.d \ && chmod 640 /etc/sudoers.d/kolla_barbican_sudoers \ && touch /usr/local/bin/kolla_barbican_extend_start \ diff --git a/docker/blazar/blazar-base/Dockerfile.j2 b/docker/blazar/blazar-base/Dockerfile.j2 index 5cd69cecfd..12f9a6bc41 100644 --- a/docker/blazar/blazar-base/Dockerfile.j2 +++ b/docker/blazar/blazar-base/Dockerfile.j2 @@ -21,7 +21,6 @@ RUN ln -s blazar-base-source/* blazar \ && {{ macros.install_pip(blazar_base_pip_packages | customizable("pip_packages")) }} \ && mkdir -p /etc/blazar \ && cp -r /blazar/etc/blazar/* /etc/blazar \ - && chown -R blazar: /etc/blazar \ && touch /usr/local/bin/kolla_blazar_extend_start \ && chmod 644 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_blazar_extend_start diff --git a/docker/ceilometer/ceilometer-base/Dockerfile.j2 b/docker/ceilometer/ceilometer-base/Dockerfile.j2 index 9a4b2a7854..cbae0fe38b 100644 --- a/docker/ceilometer/ceilometer-base/Dockerfile.j2 +++ b/docker/ceilometer/ceilometer-base/Dockerfile.j2 @@ -29,7 +29,6 @@ RUN ln -s ceilometer-base-source/* ceilometer \ && {{ macros.install_pip(ceilometer_base_pip_packages | customizable("pip_packages")) }} \ && mkdir -p /etc/ceilometer \ && cp -r /ceilometer/etc/ceilometer/* /etc/ceilometer/ \ - && chown -R ceilometer: /etc/ceilometer \ && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/ceilometer/rootwrap.conf \ && if [ "$(ls /plugins)" ]; then \ {{ macros.install_pip(ceilometer_base_plugins_pip_packages) }}; \ diff --git a/docker/cinder/cinder-api/Dockerfile.j2 b/docker/cinder/cinder-api/Dockerfile.j2 index b091acb8c8..34f684a80e 100644 --- a/docker/cinder/cinder-api/Dockerfile.j2 +++ b/docker/cinder/cinder-api/Dockerfile.j2 @@ -17,7 +17,6 @@ COPY extend_start.sh /usr/local/bin/kolla_cinder_extend_start RUN mkdir -p /var/www/cgi-bin/cinder \ && cp -a /var/lib/kolla/venv/bin/cinder-wsgi /var/www/cgi-bin/cinder/cinder-wsgi \ && chmod 644 /usr/local/bin/kolla_cinder_extend_start \ - && chown -R cinder: /var/www/cgi-bin/cinder \ && chmod 755 /var/www/cgi-bin/cinder/cinder-wsgi {% block cinder_api_footer %}{% endblock %} diff --git a/docker/cinder/cinder-base/Dockerfile.j2 b/docker/cinder/cinder-base/Dockerfile.j2 index 22c2d0e78c..1a661af78d 100644 --- a/docker/cinder/cinder-base/Dockerfile.j2 +++ b/docker/cinder/cinder-base/Dockerfile.j2 @@ -44,7 +44,6 @@ RUN ln -s cinder-base-source/* cinder \ && {{ macros.install_pip(cinder_base_pip_packages | customizable("pip_packages")) }} \ && mkdir -p /etc/cinder \ && cp -r /cinder/etc/cinder/* /etc/cinder/ \ - && chown -R cinder: /etc/cinder \ && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/cinder/rootwrap.conf \ && chmod 750 /etc/sudoers.d \ && chmod 440 /etc/sudoers.d/kolla_cinder_sudoers \ diff --git a/docker/cloudkitty/cloudkitty-base/Dockerfile.j2 b/docker/cloudkitty/cloudkitty-base/Dockerfile.j2 index b10adb4456..8ac498233b 100644 --- a/docker/cloudkitty/cloudkitty-base/Dockerfile.j2 +++ b/docker/cloudkitty/cloudkitty-base/Dockerfile.j2 @@ -21,7 +21,6 @@ RUN ln -s cloudkitty-base-source/* cloudkitty \ && {{ macros.install_pip(cloudkitty_base_pip_packages | customizable("pip_packages")) }} \ && mkdir -p /etc/cloudkitty \ && cp -r /cloudkitty/etc/cloudkitty/* /etc/cloudkitty/ \ - && chown -R cloudkitty: /etc/cloudkitty \ && touch /usr/local/bin/kolla_cloudkitty_extend_start \ && chmod 644 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_cloudkitty_extend_start diff --git a/docker/collectd/Dockerfile.j2 b/docker/collectd/Dockerfile.j2 index 85194cc264..a54bea3cf3 100644 --- a/docker/collectd/Dockerfile.j2 +++ b/docker/collectd/Dockerfile.j2 @@ -71,7 +71,6 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build COPY extend_start.sh /usr/local/bin/kolla_extend_start RUN chmod 644 /usr/local/bin/kolla_extend_start \ && chown -R collectd /var/lib/collectd \ - && chown -R collectd /etc/collectd* \ && chown -R collectd /var/run/ {% block collectd_footer %}{% endblock %} diff --git a/docker/designate/designate-base/Dockerfile.j2 b/docker/designate/designate-base/Dockerfile.j2 index 405adeaa03..fd70264dac 100644 --- a/docker/designate/designate-base/Dockerfile.j2 +++ b/docker/designate/designate-base/Dockerfile.j2 @@ -23,7 +23,6 @@ RUN ln -s designate-base-source/* designate \ && mkdir -p /etc/designate \ && cp -r /designate/etc/designate/* /etc/designate/ \ && mv /etc/designate/rootwrap.conf.sample /etc/designate/rootwrap.conf \ - && chown -R designate: /etc/designate \ && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/designate/rootwrap.conf \ && chmod 750 /etc/sudoers.d \ && chmod 640 /etc/sudoers.d/kolla_designate_sudoers \ diff --git a/docker/elasticsearch/elasticsearch-curator/Dockerfile.j2 b/docker/elasticsearch/elasticsearch-curator/Dockerfile.j2 index 98a37b3ff5..4ef07a5a88 100644 --- a/docker/elasticsearch/elasticsearch-curator/Dockerfile.j2 +++ b/docker/elasticsearch/elasticsearch-curator/Dockerfile.j2 @@ -35,7 +35,6 @@ COPY extend_start.sh /usr/local/bin/kolla_extend_start RUN {{ macros.install_pip(['pip', 'wheel', 'setuptools'], constraints=false) }} \ && {{ macros.install_pip(elasticsearch_curator_pip_packages | customizable("pip_packages"), constraints=false) }} \ && mkdir -p /etc/elasticsearch-curator \ - && chown -R elasticsearch: /etc/elasticsearch-curator \ && chmod 644 /usr/local/bin/kolla_extend_start {% block elasticsearch_curator_base_footer %}{% endblock %} diff --git a/docker/fluentd/Dockerfile.j2 b/docker/fluentd/Dockerfile.j2 index f7ed124be8..e471fd03f8 100644 --- a/docker/fluentd/Dockerfile.j2 +++ b/docker/fluentd/Dockerfile.j2 @@ -43,7 +43,7 @@ COPY extend_start.sh /usr/local/bin/kolla_extend_start && chmod 440 /etc/sudoers.d/kolla_fluentd_sudoers \ && mkdir -p /etc/{{ fluentd_user }} \ && mkdir -p /var/run/{{ fluentd_user }} \ - && chown -R {{ fluentd_user }}: /etc/{{ fluentd_user }} /var/run/{{ fluentd_user }} \ + && chown -R {{ fluentd_user }}: /var/run/{{ fluentd_user }} \ && chmod 644 /usr/local/bin/kolla_extend_start {% block fluentd_plugins_install %} diff --git a/docker/freezer/freezer-base/Dockerfile.j2 b/docker/freezer/freezer-base/Dockerfile.j2 index 0737eae589..136f81459f 100644 --- a/docker/freezer/freezer-base/Dockerfile.j2 +++ b/docker/freezer/freezer-base/Dockerfile.j2 @@ -27,7 +27,6 @@ COPY extend_start.sh /usr/local/bin/kolla_extend_start RUN ln -s freezer-base-source/* freezer \ && mkdir -p /etc/freezer \ - && chown -R freezer: /etc/freezer \ && {{ macros.install_pip(freezer_base_pip_packages | customizable("pip_packages")) }} \ && cp -r /freezer/etc/* /etc/freezer \ && chmod 750 /etc/sudoers.d \ diff --git a/docker/glance/glance-base/Dockerfile.j2 b/docker/glance/glance-base/Dockerfile.j2 index 0d17517aa5..d202208955 100644 --- a/docker/glance/glance-base/Dockerfile.j2 +++ b/docker/glance/glance-base/Dockerfile.j2 @@ -41,7 +41,6 @@ RUN ln -s glance-base-source/* glance \ && {{ macros.install_pip(glance_base_pip_packages | customizable("pip_packages")) }} \ && mkdir -p /etc/glance \ && cp -r /glance/etc/* /etc/glance/ \ - && chown -R glance: /etc/glance \ && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/glance/rootwrap.conf \ && chmod 750 /etc/sudoers.d \ && chmod 440 /etc/sudoers.d/kolla_glance_sudoers \ diff --git a/docker/gnocchi/gnocchi-base/Dockerfile.j2 b/docker/gnocchi/gnocchi-base/Dockerfile.j2 index 9fb808dfc9..8345fa29bd 100644 --- a/docker/gnocchi/gnocchi-base/Dockerfile.j2 +++ b/docker/gnocchi/gnocchi-base/Dockerfile.j2 @@ -44,7 +44,6 @@ COPY gnocchi_sudoers /etc/sudoers.d/kolla_gnocchi_sudoers RUN ln -s gnocchi-base-source/* gnocchi \ && {{ macros.install_pip(gnocchi_base_pip_packages | customizable("pip_packages")) }} \ && mkdir -p /etc/gnocchi \ - && chown -R gnocchi: /etc/gnocchi \ && chmod 750 /etc/sudoers.d \ && chmod 640 /etc/sudoers.d/kolla_gnocchi_sudoers \ && touch /usr/local/bin/kolla_gnocchi_extend_start \ diff --git a/docker/heat/heat-base/Dockerfile.j2 b/docker/heat/heat-base/Dockerfile.j2 index be8388a6fe..bc5074f724 100644 --- a/docker/heat/heat-base/Dockerfile.j2 +++ b/docker/heat/heat-base/Dockerfile.j2 @@ -27,7 +27,6 @@ RUN ln -s heat-base-source/* heat \ && {{ macros.install_pip(heat_base_pip_packages | customizable("pip_packages")) }} \ && mkdir -p /etc/heat \ && cp -r /heat/etc/heat/* /etc/heat/ \ - && chown -R heat: /etc/heat \ && touch /usr/local/bin/kolla_heat_extend_start \ && chmod 644 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_heat_extend_start diff --git a/docker/horizon/Dockerfile.j2 b/docker/horizon/Dockerfile.j2 index 62053f88a9..b2b6ab9b33 100644 --- a/docker/horizon/Dockerfile.j2 +++ b/docker/horizon/Dockerfile.j2 @@ -59,7 +59,6 @@ RUN ln -s horizon-source/* horizon \ && for locale in /var/lib/kolla/venv/lib/python{{distro_python_version}}/site-packages/*/locale; do \ (cd ${locale%/*} && /var/lib/kolla/venv/bin/django-admin compilemessages) \ done \ - && chown -R horizon: /etc/openstack-dashboard \ && chmod 644 /usr/local/bin/kolla_extend_start {% block horizon_footer %}{% endblock %} diff --git a/docker/ironic-inspector/Dockerfile.j2 b/docker/ironic-inspector/Dockerfile.j2 index 3b6c47c125..123acefaa6 100644 --- a/docker/ironic-inspector/Dockerfile.j2 +++ b/docker/ironic-inspector/Dockerfile.j2 @@ -36,7 +36,7 @@ RUN ln -s ironic-inspector-source/* ironic-inspector \ && chmod 440 /etc/sudoers.d/kolla_ironic_inspector_sudoers \ && chmod 644 /usr/local/bin/kolla_extend_start \ && mkdir -p /var/lib/ironic-inspector/dhcp-hostsdir \ - && chown -R ironic-inspector: /etc/ironic-inspector /var/lib/ironic-inspector + && chown -R ironic-inspector: /var/lib/ironic-inspector {% block ironic_inspector_footer %}{% endblock %} {% block footer %}{% endblock %} diff --git a/docker/ironic/ironic-base/Dockerfile.j2 b/docker/ironic/ironic-base/Dockerfile.j2 index 210e6e9051..aced0b7093 100644 --- a/docker/ironic/ironic-base/Dockerfile.j2 +++ b/docker/ironic/ironic-base/Dockerfile.j2 @@ -22,12 +22,10 @@ RUN ln -s ironic-base-source/* ironic \ && {{ macros.install_pip(ironic_base_pip_packages | customizable("pip_packages")) }} \ && mkdir -p /etc/ironic \ && cp -r /var/lib/kolla/venv/etc/ironic/* /etc/ironic/ \ - && chown -R ironic: /etc/ironic \ && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/ironic/rootwrap.conf \ && chmod 750 /etc/sudoers.d \ && chmod 440 /etc/sudoers.d/kolla_ironic_sudoers \ && touch /usr/local/bin/kolla_ironic_extend_start \ - && chmod 644 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_ironic_extend_start \ - && chown -R ironic: /etc/ironic + && chmod 644 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_ironic_extend_start {% block ironic_base_footer %}{% endblock %} diff --git a/docker/keystone/keystone-base/Dockerfile.j2 b/docker/keystone/keystone-base/Dockerfile.j2 index 0415e0ace9..a3e5b73f7f 100644 --- a/docker/keystone/keystone-base/Dockerfile.j2 +++ b/docker/keystone/keystone-base/Dockerfile.j2 @@ -39,11 +39,9 @@ RUN ln -s keystone-base-source/* keystone \ && mkdir -p /etc/keystone /var/www/cgi-bin/keystone \ && cp -r /keystone/etc/* /etc/keystone/ \ && cp /var/lib/kolla/venv/bin/keystone-wsgi-admin /var/www/cgi-bin/keystone/admin \ - && cp /var/lib/kolla/venv/bin/keystone-wsgi-public /var/www/cgi-bin/keystone/main \ - && chown -R keystone: /etc/keystone /var/www/cgi-bin/keystone + && cp /var/lib/kolla/venv/bin/keystone-wsgi-public /var/www/cgi-bin/keystone/main {% endblock %} -RUN chown -R keystone: /var/www/cgi-bin/keystone \ - && chmod 755 /var/www/cgi-bin/keystone/* +RUN chmod 755 /var/www/cgi-bin/keystone/* {% block keystone_base_footer %}{% endblock %} diff --git a/docker/kuryr/kuryr-base/Dockerfile.j2 b/docker/kuryr/kuryr-base/Dockerfile.j2 index b869121fe3..75cafdf0be 100644 --- a/docker/kuryr/kuryr-base/Dockerfile.j2 +++ b/docker/kuryr/kuryr-base/Dockerfile.j2 @@ -23,7 +23,6 @@ RUN ln -s kuryr-base-source/* kuryr-base \ && sed -i 's|^kuryr-lib===.*$||g' requirements/upper-constraints.txt \ && {{ macros.install_pip(kuryr_base_pip_packages | customizable("pip_packages")) }} \ && mkdir -p /etc/kuryr \ - && chown -R kuryr: /etc/kuryr \ && chmod 644 /usr/local/bin/kolla_extend_start {% block kuryr_base_footer %}{% endblock %} diff --git a/docker/magnum/magnum-base/Dockerfile.j2 b/docker/magnum/magnum-base/Dockerfile.j2 index 4473b80d2c..71e6a507c4 100644 --- a/docker/magnum/magnum-base/Dockerfile.j2 +++ b/docker/magnum/magnum-base/Dockerfile.j2 @@ -22,7 +22,6 @@ RUN ln -s magnum-base-source/* magnum \ && mkdir -p /etc/magnum \ && cp -r /magnum/etc/magnum/* /etc/magnum \ && mv /etc/magnum/keystone_auth_default_policy.sample /etc/magnum/keystone_auth_default_policy.json \ - && chown -R magnum: /etc/magnum \ && touch /usr/local/bin/kolla_magnum_extend_start \ && chmod 644 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_magnum_extend_start diff --git a/docker/manila/manila-api/Dockerfile.j2 b/docker/manila/manila-api/Dockerfile.j2 index dece703f3e..0e6d9e2521 100644 --- a/docker/manila/manila-api/Dockerfile.j2 +++ b/docker/manila/manila-api/Dockerfile.j2 @@ -16,7 +16,6 @@ COPY extend_start.sh /usr/local/bin/kolla_manila_extend_start RUN mkdir -p /var/www/cgi-bin/manila \ && cp -a /var/lib/kolla/venv/bin/manila-wsgi /var/www/cgi-bin/manila/manila-wsgi \ && chmod 644 /usr/local/bin/kolla_manila_extend_start \ - && chown -R manila: /var/www/cgi-bin/manila \ && chmod 755 /var/www/cgi-bin/manila/manila-wsgi {% block manila_api_footer %}{% endblock %} diff --git a/docker/manila/manila-base/Dockerfile.j2 b/docker/manila/manila-base/Dockerfile.j2 index d484f8f0dc..7279960735 100644 --- a/docker/manila/manila-base/Dockerfile.j2 +++ b/docker/manila/manila-base/Dockerfile.j2 @@ -35,7 +35,7 @@ RUN ln -s manila-base-source/* manila \ && {{ macros.install_pip(manila_base_pip_packages | customizable("pip_packages")) }} \ && mkdir -p /etc/manila /var/cache/manila \ && cp -r /manila/etc/manila/* /etc/manila/ \ - && chown -R manila: /etc/manila /var/cache/manila \ + && chown -R manila: /var/cache/manila \ && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/manila/rootwrap.conf \ && chmod 750 /etc/sudoers.d \ && chmod 440 /etc/sudoers.d/kolla_manila_sudoers \ diff --git a/docker/masakari/masakari-base/Dockerfile.j2 b/docker/masakari/masakari-base/Dockerfile.j2 index e0f3e3d601..63e18e4436 100644 --- a/docker/masakari/masakari-base/Dockerfile.j2 +++ b/docker/masakari/masakari-base/Dockerfile.j2 @@ -35,7 +35,6 @@ RUN ln -s masakari-base-source/* masakari \ && {{ macros.install_pip(masakari_base_pip_packages | customizable("pip_packages")) }} \ && mkdir -p /etc/masakari /var/www/cgi-bin/masakari \ && cp -r /masakari/etc/masakari/* /etc/masakari/ \ - && chown -R masakari: /etc/masakari /var/www/cgi-bin/masakari \ && chmod 755 /var/www/cgi-bin/masakari \ && touch /usr/local/bin/kolla_masakari_extend_start \ && chmod 644 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_masakari_extend_start diff --git a/docker/masakari/masakari-monitors/Dockerfile.j2 b/docker/masakari/masakari-monitors/Dockerfile.j2 index 484c190ba8..1a4bb10929 100644 --- a/docker/masakari/masakari-monitors/Dockerfile.j2 +++ b/docker/masakari/masakari-monitors/Dockerfile.j2 @@ -44,7 +44,6 @@ COPY masakari_monitors_sudoers /etc/sudoers.d/kolla_masakari_monitors_sudoers RUN ln -s masakari-monitors-source/* masakari-monitors \ && {{ macros.install_pip(masakari_monitors_pip_packages | customizable("pip_packages")) }} \ && mkdir -p /etc/masakari-monitors \ - && chown -R masakari: /etc/masakari-monitors \ && chmod 750 /etc/sudoers.d \ && chmod 640 /etc/sudoers.d/kolla_masakari_monitors_sudoers diff --git a/docker/mistral/mistral-base/Dockerfile.j2 b/docker/mistral/mistral-base/Dockerfile.j2 index bc260660c9..0a1fb1e3c4 100644 --- a/docker/mistral/mistral-base/Dockerfile.j2 +++ b/docker/mistral/mistral-base/Dockerfile.j2 @@ -27,7 +27,6 @@ RUN ln -s mistral-base-source/* mistral \ && {{ macros.install_pip(mistral_base_pip_packages | customizable("pip_packages")) }} \ && mkdir -p /etc/mistral \ && cp -r /mistral/etc/* /etc/mistral/ \ - && chown -R mistral: /etc/mistral \ && if [ "$(ls /plugins)" ]; then \ {{ macros.install_pip(mistral_base_plugins_pip_packages) }}; \ fi \ diff --git a/docker/monasca/monasca-base/Dockerfile.j2 b/docker/monasca/monasca-base/Dockerfile.j2 index 3c35ab4b2c..e343a922a8 100644 --- a/docker/monasca/monasca-base/Dockerfile.j2 +++ b/docker/monasca/monasca-base/Dockerfile.j2 @@ -27,8 +27,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build ] %} RUN {{ macros.install_pip(monasca_base_pip_packages | customizable("pip_packages")) }} \ - && mkdir -p /etc/monasca \ - && chown -R monasca: /etc/monasca + && mkdir -p /etc/monasca {% endblock %} COPY extend_start.sh /usr/local/bin/kolla_extend_start diff --git a/docker/murano/murano-base/Dockerfile.j2 b/docker/murano/murano-base/Dockerfile.j2 index ccef5135f6..ba46f6389c 100644 --- a/docker/murano/murano-base/Dockerfile.j2 +++ b/docker/murano/murano-base/Dockerfile.j2 @@ -21,7 +21,6 @@ RUN ln -s murano-base-source/* murano \ && {{ macros.install_pip(murano_base_pip_packages | customizable("pip_packages")) }} \ && mkdir -p /etc/murano \ && cp -r /murano/etc/murano/* /etc/murano/ \ - && chown -R murano: /etc/murano \ && cd murano/meta/io.murano \ && zip -r /io.murano.zip * \ && cd /murano/meta/io.murano.applications \ diff --git a/docker/neutron/neutron-base/Dockerfile.j2 b/docker/neutron/neutron-base/Dockerfile.j2 index 56f336c571..95277e93d6 100644 --- a/docker/neutron/neutron-base/Dockerfile.j2 +++ b/docker/neutron/neutron-base/Dockerfile.j2 @@ -73,7 +73,6 @@ RUN ln -s neutron-base-source/* neutron \ && cp -r /neutron/etc/* /etc/neutron/ \ && cp -r /neutron/etc/neutron/* /etc/neutron/ \ && mv /etc/neutron/neutron/ /etc/neutron/plugins/ \ - && chown -R neutron: /etc/neutron \ && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/neutron/rootwrap.conf \ && if [ "$(ls /plugins)" ]; then \ {{ macros.install_pip(neutron_base_plugins_pip_packages) }} \ diff --git a/docker/nova/nova-base/Dockerfile.j2 b/docker/nova/nova-base/Dockerfile.j2 index c2ce048a3e..bdb5f8055f 100644 --- a/docker/nova/nova-base/Dockerfile.j2 +++ b/docker/nova/nova-base/Dockerfile.j2 @@ -70,7 +70,6 @@ RUN ln -s nova-base-source/* nova \ && {{ macros.install_pip(nova_base_pip_packages | customizable("pip_packages")) }} \ && mkdir -p /etc/nova/ \ && cp -r /nova/etc/nova/* /etc/nova/ \ - && chown -R nova: /etc/nova/ \ && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/nova/rootwrap.conf \ && if [ "$(ls /plugins)" ]; then \ {{ macros.install_pip(nova_base_plugins_pip_packages) }}; \ diff --git a/docker/octavia/octavia-base/Dockerfile.j2 b/docker/octavia/octavia-base/Dockerfile.j2 index bb4b2245da..1478ac64b5 100644 --- a/docker/octavia/octavia-base/Dockerfile.j2 +++ b/docker/octavia/octavia-base/Dockerfile.j2 @@ -28,7 +28,6 @@ RUN ln -s /octavia-base-source/* octavia \ && {{ macros.install_pip(octavia_base_pip_packages | customizable("pip_packages")) }} \ && mkdir -p /etc/octavia \ && cp -r /octavia/etc/* /etc/octavia/ \ - && chown -R octavia: /etc/octavia \ && touch /usr/local/bin/kolla_octavia_extend_start \ && chmod 644 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_octavia_extend_start diff --git a/docker/placement/placement-base/Dockerfile.j2 b/docker/placement/placement-base/Dockerfile.j2 index ff3892fbd7..17a4d42673 100644 --- a/docker/placement/placement-base/Dockerfile.j2 +++ b/docker/placement/placement-base/Dockerfile.j2 @@ -36,7 +36,6 @@ RUN ln -s placement-base-source/* placement \ && {{ macros.install_pip(placement_base_pip_packages | customizable("pip_packages")) }} \ && mkdir -p /etc/placement/ \ && cp -r /placement/etc/placement/* /etc/placement/ \ - && chown -R placement: /etc/placement/ \ && touch /usr/local/bin/kolla_placement_extend_start \ && chmod 644 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_placement_extend_start diff --git a/docker/sahara/sahara-base/Dockerfile.j2 b/docker/sahara/sahara-base/Dockerfile.j2 index af60f20229..7137954442 100644 --- a/docker/sahara/sahara-base/Dockerfile.j2 +++ b/docker/sahara/sahara-base/Dockerfile.j2 @@ -36,7 +36,6 @@ RUN ln -s sahara-base-source/* sahara \ fi \ && mkdir -p /etc/sahara \ && cp -r /sahara/etc/sahara/* /etc/sahara/ \ - && chown -R sahara: /etc/sahara \ && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/sahara/rootwrap.conf \ && chmod 750 /etc/sudoers.d \ && chmod 640 /etc/sudoers.d/kolla_sahara_sudoers \ diff --git a/docker/senlin/senlin-base/Dockerfile.j2 b/docker/senlin/senlin-base/Dockerfile.j2 index 463a7a3fef..271e19287b 100644 --- a/docker/senlin/senlin-base/Dockerfile.j2 +++ b/docker/senlin/senlin-base/Dockerfile.j2 @@ -21,7 +21,6 @@ RUN ln -s senlin-base-source/* senlin \ && {{ macros.install_pip(senlin_base_pip_packages | customizable("pip_packages")) }} \ && mkdir -p /etc/senlin \ && cp -r /senlin/etc/senlin/* /etc/senlin \ - && chown -R senlin: /etc/senlin \ && touch /usr/local/bin/kolla_senlin_extend_start \ && chmod 644 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_senlin_extend_start diff --git a/docker/solum/solum-base/Dockerfile.j2 b/docker/solum/solum-base/Dockerfile.j2 index 8bad55fe3c..4de86d59f8 100644 --- a/docker/solum/solum-base/Dockerfile.j2 +++ b/docker/solum/solum-base/Dockerfile.j2 @@ -21,7 +21,6 @@ RUN ln -s solum-base-source/* solum \ && {{ macros.install_pip(solum_base_pip_packages | customizable("pip_packages")) }} \ && mkdir -p /etc/solum \ && cp -r /solum/etc/solum/* /etc/solum/ \ - && chown -R solum: /etc/solum \ && touch /usr/local/bin/kolla_solum_extend_start \ && chmod 644 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_solum_extend_start diff --git a/docker/swift/swift-base/Dockerfile.j2 b/docker/swift/swift-base/Dockerfile.j2 index c3365578c5..372765fb0e 100644 --- a/docker/swift/swift-base/Dockerfile.j2 +++ b/docker/swift/swift-base/Dockerfile.j2 @@ -38,7 +38,7 @@ RUN ln -s swift-base-source/* swift \ && {{ macros.install_pip(swift_base_pip_packages | customizable("pip_packages")) }} \ && mkdir -p /etc/swift /var/cache/swift /var/lock/swift \ && cp -r /swift/etc/* /etc/swift/ \ - && chown -R swift: /etc/swift /var/cache/swift /var/lock/swift \ + && chown -R swift: /var/cache/swift /var/lock/swift \ && chmod 755 /var/lib/kolla/venv/bin/swift-rootwrap \ && chmod 644 /etc/swift/rootwrap.conf \ && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/swift/rootwrap.conf \ diff --git a/docker/tacker/tacker-base/Dockerfile.j2 b/docker/tacker/tacker-base/Dockerfile.j2 index f9f526f6de..7b57a4ebde 100644 --- a/docker/tacker/tacker-base/Dockerfile.j2 +++ b/docker/tacker/tacker-base/Dockerfile.j2 @@ -27,7 +27,6 @@ RUN ln -s tacker-base-source/* tacker \ && {{ macros.install_pip(tacker_base_pip_packages | customizable("pip_packages")) }} \ && mkdir -p /etc/tacker \ && cp -r /tacker/etc/tacker/* /etc/tacker \ - && chown -R tacker: /etc/tacker \ && if [ "$(ls /plugins)" ]; then \ {{ macros.install_pip(tacker_base_plugins_pip_packages) }}; \ fi \ diff --git a/docker/trove/trove-base/Dockerfile.j2 b/docker/trove/trove-base/Dockerfile.j2 index af3bde5300..54a31dcaa0 100644 --- a/docker/trove/trove-base/Dockerfile.j2 +++ b/docker/trove/trove-base/Dockerfile.j2 @@ -21,7 +21,6 @@ RUN ln -s trove-base-source/* trove \ && {{ macros.install_pip(trove_base_pip_packages | customizable("pip_packages")) }} \ && mkdir -p /etc/trove \ && cp -r /trove/etc/trove/* /etc/trove/ \ - && chown -R trove: /etc/trove \ && touch /usr/local/bin/kolla_trove_extend_start \ && chmod 644 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_trove_extend_start diff --git a/docker/venus/venus-base/Dockerfile.j2 b/docker/venus/venus-base/Dockerfile.j2 index 8137644987..eea2b82066 100644 --- a/docker/venus/venus-base/Dockerfile.j2 +++ b/docker/venus/venus-base/Dockerfile.j2 @@ -21,7 +21,6 @@ RUN ln -s venus-base-source/* venus \ && {{ macros.install_pip(venus_base_pip_packages | customizable("pip_packages")) }} \ && mkdir -p /etc/venus \ && cp -r /venus/etc/venus/* /etc/venus/ \ - && chown -R venus: /etc/venus \ && touch /usr/local/bin/kolla_venus_extend_start \ && chmod 644 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_venus_extend_start diff --git a/docker/vitrage/vitrage-base/Dockerfile.j2 b/docker/vitrage/vitrage-base/Dockerfile.j2 index d971584c26..ae46ca8ccc 100644 --- a/docker/vitrage/vitrage-base/Dockerfile.j2 +++ b/docker/vitrage/vitrage-base/Dockerfile.j2 @@ -35,7 +35,6 @@ RUN ln -s vitrage-base-source/* vitrage \ && mkdir -p /etc/vitrage /var/www/cgi-bin/vitrage \ && cp -r /vitrage/etc/vitrage/* /etc/vitrage/ \ && cp /vitrage/vitrage/api/app.wsgi /var/www/cgi-bin/vitrage \ - && chown -R vitrage: /etc/vitrage /var/www/cgi-bin/vitrage \ && touch /usr/local/bin/kolla_vitrage_extend_start \ && chmod 644 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_vitrage_extend_start diff --git a/docker/watcher/watcher-base/Dockerfile.j2 b/docker/watcher/watcher-base/Dockerfile.j2 index 7850642b7c..c389f675c8 100644 --- a/docker/watcher/watcher-base/Dockerfile.j2 +++ b/docker/watcher/watcher-base/Dockerfile.j2 @@ -21,7 +21,6 @@ RUN ln -s watcher-base-source/* watcher \ && {{ macros.install_pip(watcher_base_pip_packages | customizable("pip_packages")) }} \ && mkdir -p /etc/watcher \ && cp -r /watcher/etc/watcher/* /etc/watcher/ \ - && chown -R watcher: /etc/watcher \ && touch /usr/local/bin/kolla_watcher_extend_start \ && chmod 644 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_watcher_extend_start diff --git a/docker/zun/zun-base/Dockerfile.j2 b/docker/zun/zun-base/Dockerfile.j2 index 41b022dab4..242a6632c8 100644 --- a/docker/zun/zun-base/Dockerfile.j2 +++ b/docker/zun/zun-base/Dockerfile.j2 @@ -43,7 +43,6 @@ RUN ln -s zun-base-source/* zun \ && mkdir -p /etc/zun /var/www/cgi-bin/zun \ && cp -r /zun/etc/zun/* /etc/zun/ \ && cp /zun/zun/api/app.wsgi /var/www/cgi-bin/zun \ - && chown -R zun: /etc/zun /var/www/cgi-bin/zun \ && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/zun/rootwrap.conf \ && chmod 750 /etc/sudoers.d \ && chmod 640 /etc/sudoers.d/kolla_zun_sudoers \ diff --git a/releasenotes/notes/bug-1874298-35b7ccffe327f7e4.yaml b/releasenotes/notes/bug-1874298-35b7ccffe327f7e4.yaml new file mode 100644 index 0000000000..10ec5faaaf --- /dev/null +++ b/releasenotes/notes/bug-1874298-35b7ccffe327f7e4.yaml @@ -0,0 +1,12 @@ +--- +security: + - | + Fixes a hypothetical security issue related to privilege escalation via + rootwrap/privsep. A potential vulnerable service could previously allow + writes to its rootwrap/privsep config and thus allow for more commands + to be run with root privileges via rootwrap/privsep. For a succesful + attack, this would also require the service to allow to run arbitrary + commands via rootwrap/privsep. Thus far, no such vulnerabilities have + been reported and thus this fix is simply strengthening the container + images against such an issue in the future. + `LP#1874298 `__