Merge "Dropping radvd process privileges"

2018-06-26 08:22:37 +00:00 · 2018-06-26 08:22:37 +00:00 · e298f85c26
parent a388701ddf 9f2b40f2ce
commit e298f85c26
2 changed files with 13 additions and 2 deletions
--- a/neutron/agent/linux/ra.py
+++ b/neutron/agent/linux/ra.py
@ -13,6 +13,9 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.

+import os
+import pwd
+
 from itertools import chain as iter_chain

 import jinja2
@ -125,7 +128,8 @@ class DaemonMonitor(object):

        contents = buf.getvalue()
        LOG.debug("radvd config = %s", contents)
-        file_utils.replace_file(radvd_conf, contents)
+        # radvd conf file can't be writeable by self/group
+        file_utils.replace_file(radvd_conf, contents, file_mode=0o444)
        return radvd_conf

    def _get_radvd_process_manager(self, callback=None):
@ -139,6 +143,8 @@ class DaemonMonitor(object):

    def _spawn_radvd(self, radvd_conf):
        def callback(pid_file):
+            # drop radvd daemon privileges and run as the neutron user
+            radvd_user = pwd.getpwuid(os.geteuid()).pw_name
            # we need to use -m syslog and f.e. not -m stderr (the default)
            # or -m stderr_syslog so that radvd 2.0+ will close stderr and
            # exit after daemonization; otherwise, the current thread will
@ -147,6 +153,7 @@ class DaemonMonitor(object):
            radvd_cmd = [RADVD_SERVICE_CMD,
                         '-C', '%s' % radvd_conf,
                         '-p', '%s' % pid_file,
+                         '-u', '%s' % radvd_user,
                         '-m', 'syslog']
            return radvd_cmd

--- a/neutron/tests/unit/agent/l3/test_agent.py
+++ b/neutron/tests/unit/agent/l3/test_agent.py
@ -58,6 +58,7 @@ from neutron.conf.agent.l3 import ha as ha_conf
 from neutron.conf import common as base_config
 from neutron.tests import base
 from neutron.tests.common import l3_test_common
+from neutron.tests.unit.agent.linux.test_utils import FakeUser

 _uuid = uuidutils.generate_uuid
 HOSTNAME = 'myhost'
@ -2791,7 +2792,9 @@ class TestBasicRouterOperations(BasicRouterOperationsFramework):

        self.assertFalse(ri.remove_floating_ip.called)

-    def test_spawn_radvd(self):
+    @mock.patch('os.geteuid', return_value='490')
+    @mock.patch('pwd.getpwuid', return_value=FakeUser('neutron'))
+    def test_spawn_radvd(self, geteuid, getpwuid):
        router = l3_test_common.prepare_router_data(ip_version=6)

        conffile = '/fake/radvd.conf'
@ -2829,6 +2832,7 @@ class TestBasicRouterOperations(BasicRouterOperationsFramework):
        cmd = _join(*cmd)
        self.assertIn(_join('-C', conffile), cmd)
        self.assertIn(_join('-p', pidfile), cmd)
+        self.assertIn(_join('-u', 'neutron'), cmd)
        self.assertIn(_join('-m', 'syslog'), cmd)

    def test_generate_radvd_mtu_conf(self):