From 22def41d37d8046541b25fca1fe806090bf14638 Mon Sep 17 00:00:00 2001 From: Ryan Hallisey Date: Thu, 12 Nov 2015 10:46:10 -0500 Subject: [PATCH] Drop root privileges for rabbitmq Drop root privileges for rabbitmq. Only the rabbitmq user will be able to execute chown of /var/lib/rabbitmq. Change-Id: I546e6b475a8462bfbc75972854e1fee64f96d9cb Partially-Implements: blueprint drop-root --- ansible/roles/rabbitmq/templates/rabbitmq.json.j2 | 2 +- docker/rabbitmq/Dockerfile.j2 | 8 +++++++- docker/rabbitmq/extend_start.sh | 2 +- docker/rabbitmq/rabbitmq_sudoers | 1 + 4 files changed, 10 insertions(+), 3 deletions(-) create mode 100644 docker/rabbitmq/rabbitmq_sudoers diff --git a/ansible/roles/rabbitmq/templates/rabbitmq.json.j2 b/ansible/roles/rabbitmq/templates/rabbitmq.json.j2 index 8eb38dc37e..82d7ad0bb7 100644 --- a/ansible/roles/rabbitmq/templates/rabbitmq.json.j2 +++ b/ansible/roles/rabbitmq/templates/rabbitmq.json.j2 @@ -1,5 +1,5 @@ { - "command": "sudo -H -u rabbitmq /usr/sbin/rabbitmq-server", + "command": "/usr/sbin/rabbitmq-server", "config_files": [ { "source": "{{ container_config_directory }}/rabbitmq-env.conf", diff --git a/docker/rabbitmq/Dockerfile.j2 b/docker/rabbitmq/Dockerfile.j2 index f806f89779..fad8c4e4a7 100644 --- a/docker/rabbitmq/Dockerfile.j2 +++ b/docker/rabbitmq/Dockerfile.j2 @@ -28,6 +28,12 @@ RUN /usr/lib/rabbitmq/bin/rabbitmq-plugins enable --offline \ && /bin/true COPY extend_start.sh /usr/local/bin/kolla_extend_start -RUN chmod 755 /usr/local/bin/kolla_extend_start +COPY rabbitmq_sudoers /etc/sudoers.d/rabbitmq_sudoers +RUN chmod 755 /usr/local/bin/kolla_extend_start \ + && chmod 750 /etc/sudoers.d \ + && chmod 440 /etc/sudoers.d/rabbitmq_sudoers \ + && usermod -a -G kolla rabbitmq {{ include_footer }} + +USER rabbitmq \ No newline at end of file diff --git a/docker/rabbitmq/extend_start.sh b/docker/rabbitmq/extend_start.sh index e1c1007e33..06e71e810e 100644 --- a/docker/rabbitmq/extend_start.sh +++ b/docker/rabbitmq/extend_start.sh @@ -3,8 +3,8 @@ # Bootstrap and exit if KOLLA_BOOTSTRAP variable is set. This catches all cases # of the KOLLA_BOOTSTRAP variable being set, including empty. if [[ "${!KOLLA_BOOTSTRAP[@]}" ]]; then + sudo chown -R rabbitmq: /var/lib/rabbitmq echo "${RABBITMQ_CLUSTER_COOKIE}" > /var/lib/rabbitmq/.erlang.cookie - chown -R rabbitmq: /var/lib/rabbitmq chmod 400 /var/lib/rabbitmq/.erlang.cookie exit 0 fi diff --git a/docker/rabbitmq/rabbitmq_sudoers b/docker/rabbitmq/rabbitmq_sudoers new file mode 100644 index 0000000000..7d3d091d8a --- /dev/null +++ b/docker/rabbitmq/rabbitmq_sudoers @@ -0,0 +1 @@ +%kolla ALL=(root) NOPASSWD: /usr/bin/chown -R rabbitmq\: /var/lib/rabbitmq, /bin/chown -R rabbitmq\: /var/lib/rabbitmq