Add new config param to allow GroupExec perm for the SecretBackend command #6298
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
clamoriniere
force-pushed
the
clamoriniere/fix-checks-permission-v1
branch
from
5f889b5 to
850895d
Compare
clamoriniere
changed the title
L3n41c
requested changes
Aug 31, 2020
L3n41c
requested changes
Aug 31, 2020
clamoriniere
force-pushed
the
clamoriniere/fix-checks-permission-v1
branch
2 times, most recently
from
855c4c7 to
fee5f73
Compare
L3n41c
approved these changes
Aug 31, 2020
hush-hush
requested changes
Sep 3, 2020
releasenotes/notes/Add-Group-exec-perm-for-the-SecretBackend-command-a7fbe1ece1fad50b.yaml
Show resolved
Hide resolved
|
Once this is merged let's not forget to update the official doc to explain when, why and how to enable this option : https://docs.datadoghq.com/agent/guide/secrets-management/?tab=linux |
hush-hush
requested changes
Sep 3, 2020
olivielpeau
requested review from
trishankatdatadog
and removed request for
a team
olivielpeau
approved these changes
Sep 8, 2020
releasenotes/notes/Add-Group-exec-perm-for-the-SecretBackend-command-a7fbe1ece1fad50b.yaml
Outdated
Show resolved
Hide resolved
clamoriniere
force-pushed
the
clamoriniere/fix-checks-permission-v1
branch
from
79fe747 to
44fcf25
Compare
hush-hush
requested changes
Sep 14, 2020
releasenotes/notes/Add-Group-exec-perm-for-the-SecretBackend-command-a7fbe1ece1fad50b.yaml
Show resolved
Hide resolved
releasenotes-dca/Add-Group-exec-perm-for-the-SecretBackend-command-a7fbe1ece1fad50b.yaml
Outdated
Show resolved
Hide resolved
clamoriniere
commented
Sep 15, 2020
hush-hush
approved these changes
Sep 16, 2020
clamoriniere
force-pushed
the
clamoriniere/fix-checks-permission-v1
branch
from
10af196 to
9550d63
Compare
hush-hush
approved these changes
Sep 17, 2020
olivielpeau
approved these changes
Sep 17, 2020
pkg/secrets/check_rights_nix.go
Outdated
| } | ||
|
|
||
| // checking that we own the executable | ||
| usr, err := user.Current() | ||
| userGroups, err := usr.GroupIds() | ||
| if err != nil { | ||
| return fmt.Errorf("can't query current user UID: %s", err) |
There was a problem hiding this comment.
Suggested change
| return fmt.Errorf("can't query current user UID: %s", err) | |
| return fmt.Errorf("can't query current user's GIDs: %s", err) |
releasenotes-dca/Add-Group-exec-perm-for-the-SecretBackend-command-a7fbe1ece1fad50b.yaml
Outdated
Show resolved
Hide resolved
trishankatdatadog
approved these changes
Sep 17, 2020
pkg/secrets/check_rights_nix.go
Outdated
| return nil | ||
| } | ||
|
|
||
| // checkUserPermission check that only the current User or one of his group can exec the path |
There was a problem hiding this comment.
Suggested change
| // checkUserPermission check that only the current User or one of his group can exec the path | |
| // checkGroupPermission check that only the current User or one of his group can exec the path |
pkg/secrets/check_rights_windows.go
Outdated
| @@ -24,7 +24,9 @@ var ( | |||
|
|
|||
| // checkRights check that the given filename has access controls set only for | |||
| // Administrator, Local System and the datadog user. | |||
| func checkRights(filename string) error { | |||
| func checkRights(filename string, _ bool) error { | |||
There was a problem hiding this comment.
Maybe instead of ignoring the bool here, return an error if it is true?
pkg/secrets/check_rights_nix.go
Outdated
| isUserFile = true | ||
| } | ||
| // If the file is not own by the user, lets check for on of his groups | ||
| if !isUserFile { |
There was a problem hiding this comment.
if isUserFile, you might wish to check that user can exec (check that stat.Mode&syscall.S_IXUSR == 0 is not an issue like in checkUserPermission)
| require.Nil(t, os.Chmod(tmpfile.Name(), 0600)) | ||
| require.NotNil(t, checkRights(tmpfile.Name())) | ||
| require.NotNil(t, checkRights(tmpfile.Name(), allowGroupExec)) | ||
|
|
||
| // group should have no right | ||
| require.Nil(t, os.Chmod(tmpfile.Name(), 0710)) |
There was a problem hiding this comment.
Consider adding a separate 0720 test here (group can write)
|
|
||
| // group should have no right | ||
| require.Nil(t, os.Chmod(tmpfile.Name(), 0710)) | ||
| require.NotNil(t, checkRights(tmpfile.Name())) | ||
| require.NotNil(t, checkRights(tmpfile.Name(), allowGroupExec)) | ||
|
|
||
| // other should have no right | ||
| require.Nil(t, os.Chmod(tmpfile.Name(), 0701)) |
There was a problem hiding this comment.
Consider adding a separate 0702 test here (others can write)
| require.Nil(t, os.Chmod(tmpfile.Name(), 0770)) | ||
| require.NotNil(t, checkRights(tmpfile.Name(), allowGroupExec)) | ||
|
|
||
| // other should have no right |
There was a problem hiding this comment.
Consider adding a separate 0702 test here (others can write)
When the agent runs in a container environment, the process can be executed with a "random" uid (for security reason). To allow the execution of the secret-backend command packaged inside the docker image. the secret-backend script need to allow the execution of a group uid. The new option "secret_backend_command_allow_group_exec_perm" allow to change the behaviour of the `checkRights()` function and allow GroupExecPerm. We update only the dockerfile configuration for the cluster-agent. because the "agent" process needs to run as root, so the described setup is not possible with the agent image: * change the readsecret.sh permission to 510 * set DD_SECRET_BACKEND_COMMAND_ALLOW_GROUP_EXEC_PERM env var to true by default in the cluster-agent entry-point
Co-authored-by: Lénaïc Huard <L3n41c@users.noreply.github.com>
Co-authored-by: Olivier Vielpeau <olivielpeau@users.noreply.github.com>
Co-authored-by: Trishank Karthik Kuppusamy <trishank.kuppusamy@datadoghq.com>
Signed-off-by: cedric lamoriniere <cedric.lamoriniere@datadoghq.com>
Co-authored-by: maxime mouial <hush-hush@users.noreply.github.com>
Co-authored-by: Olivier Vielpeau <olivielpeau@users.noreply.github.com>
Signed-off-by: cedric lamoriniere <cedric.lamoriniere@datadoghq.com>
clamoriniere
force-pushed
the
clamoriniere/fix-checks-permission-v1
branch
from
f587136 to
1c431ca
Compare
9 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
To allow the execution of the secret-backend command packaged inside
the docker image. the secret-backend script need to allow the execution
of a group uid.
The new option "secret_backend_command_allow_group_exec_perm" allow to
change the behaviour of the
checkRights()function and allow GroupExecPerm.We update only the dockerfile configuration for the cluster-agent. because
the "agent" process needs to run as root, so the described setup is not possible
with the agent image:
by default in the cluster-agent entry-point
Motivation
When the agent runs in a container environment, the process can be
executed with a "random" uid (for security reason)
Additional Notes
Anything else we should know when reviewing?
Describe your test plan
Start the
Cluster-Agentand use the "secret-backend" script packaged in the imagereadSecret.py. TheCluster-Agentshould not return a file permission check error.