c2b6df05e0
Since [1], ``oslo_log.log.setup`` can be called without applying the fix for eventlet in native threads [2]. This fix clashes with the oslo.privsep logging handler that replaces the original one. This handler is implemented to allow the sync between the daemon process and the process making the privileged call. Once the oslo.log library version is bumped to 5.0.2, the try clause can be removed. [1]https://review.opendev.org/c/openstack/oslo.log/+/864252 [2]https://review.opendev.org/c/openstack/oslo.log/+/852443 Closes-Bug: #1995514 Related-Bug: #1995091 Change-Id: I7a4c55228064cb2dd4f4a359cdd81fd288baaf68
602 lines
20 KiB
Python
602 lines
20 KiB
Python
# Copyright 2015 Rackspace Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
"""Privilege separation ("privsep") daemon.
|
|
|
|
To ease transition this supports 2 alternative methods of starting the
|
|
daemon, all resulting in a helper process running with elevated
|
|
privileges and open socket(s) to the original process:
|
|
|
|
1. Start via fork()
|
|
|
|
Assumes process currently has all required privileges and is about
|
|
to drop them (perhaps by setuid to an unprivileged user). If the
|
|
the initial environment is secure and `PrivContext.start(Method.FORK)`
|
|
is called early in `main()`, then this is the most secure and
|
|
simplest. In particular, if the initial process is already running
|
|
as non-root (but with sufficient capabilities, via eg suitable
|
|
systemd service files), then no part needs to involve uid=0 or
|
|
sudo.
|
|
|
|
2. Start via sudo/rootwrap
|
|
|
|
This starts the privsep helper on first use via sudo and rootwrap,
|
|
and communicates via a temporary Unix socket passed on the command
|
|
line. The communication channel is briefly exposed in the
|
|
filesystem, but is protected with file permissions and connecting
|
|
to it only grants access to the unprivileged process. Requires a
|
|
suitable entry in sudoers or rootwrap.conf filters.
|
|
|
|
The privsep daemon exits when the communication channel is closed,
|
|
(which usually occurs when the unprivileged process exits).
|
|
|
|
"""
|
|
|
|
from concurrent import futures
|
|
import enum
|
|
import errno
|
|
import io
|
|
import logging as pylogging
|
|
import os
|
|
import platform
|
|
import socket
|
|
import subprocess
|
|
import sys
|
|
import tempfile
|
|
import threading
|
|
|
|
import eventlet
|
|
from eventlet import patcher
|
|
from oslo_config import cfg
|
|
from oslo_log import log as logging
|
|
from oslo_utils import encodeutils
|
|
from oslo_utils import importutils
|
|
|
|
from oslo_privsep._i18n import _
|
|
from oslo_privsep import capabilities
|
|
from oslo_privsep import comm
|
|
|
|
if platform.system() == 'Linux':
|
|
import fcntl
|
|
import grp
|
|
import pwd
|
|
|
|
LOG = logging.getLogger(__name__)
|
|
|
|
|
|
EVENTLET_MODULES = ('os', 'select', 'socket', 'thread', 'time', 'MySQLdb',
|
|
'builtins', 'subprocess')
|
|
EVENTLET_LIBRARIES = []
|
|
|
|
|
|
def _null():
|
|
return []
|
|
|
|
|
|
for module in EVENTLET_MODULES:
|
|
if hasattr(patcher, '_green_%s_modules' % module):
|
|
method = getattr(patcher, '_green_%s_modules' % module)
|
|
elif hasattr(patcher, '_green_%s' % module):
|
|
method = getattr(patcher, '_green_%s' % module)
|
|
else:
|
|
method = _null()
|
|
EVENTLET_LIBRARIES.append((module, method))
|
|
|
|
|
|
@enum.unique
|
|
class StdioFd(enum.IntEnum):
|
|
# NOTE(gus): We can't use sys.std*.fileno() here. sys.std*
|
|
# objects may be random file-like objects that may not match the
|
|
# true system std* fds - and indeed may not even have a file
|
|
# descriptor at all (eg: test fixtures that monkey patch
|
|
# fixtures.StringStream onto sys.stdout). Below we always want
|
|
# the _real_ well-known 0,1,2 Unix fds during os.dup2
|
|
# manipulation.
|
|
STDIN = 0
|
|
STDOUT = 1
|
|
STDERR = 2
|
|
|
|
|
|
class FailedToDropPrivileges(Exception):
|
|
pass
|
|
|
|
|
|
class ProtocolError(Exception):
|
|
pass
|
|
|
|
|
|
def set_cloexec(fd):
|
|
flags = fcntl.fcntl(fd, fcntl.F_GETFD)
|
|
if (flags & fcntl.FD_CLOEXEC) == 0:
|
|
flags |= fcntl.FD_CLOEXEC
|
|
fcntl.fcntl(fd, fcntl.F_SETFD, flags)
|
|
|
|
|
|
def setuid(user_id_or_name):
|
|
try:
|
|
new_uid = int(user_id_or_name)
|
|
except (TypeError, ValueError):
|
|
new_uid = pwd.getpwnam(user_id_or_name).pw_uid
|
|
if new_uid != 0:
|
|
try:
|
|
os.setuid(new_uid)
|
|
except OSError:
|
|
msg = _('Failed to set uid %s') % new_uid
|
|
LOG.critical(msg)
|
|
raise FailedToDropPrivileges(msg)
|
|
|
|
|
|
def setgid(group_id_or_name):
|
|
try:
|
|
new_gid = int(group_id_or_name)
|
|
except (TypeError, ValueError):
|
|
new_gid = grp.getgrnam(group_id_or_name).gr_gid
|
|
if new_gid != 0:
|
|
try:
|
|
os.setgid(new_gid)
|
|
except OSError:
|
|
msg = _('Failed to set gid %s') % new_gid
|
|
LOG.critical(msg)
|
|
raise FailedToDropPrivileges(msg)
|
|
|
|
|
|
class PrivsepLogHandler(pylogging.Handler):
|
|
def __init__(self, channel, processName=None):
|
|
super(PrivsepLogHandler, self).__init__()
|
|
self.channel = channel
|
|
self.processName = processName
|
|
|
|
def emit(self, record):
|
|
# Vaguely based on pylogging.handlers.SocketHandler.makePickle
|
|
|
|
if self.processName:
|
|
record.processName = self.processName
|
|
|
|
data = dict(record.__dict__)
|
|
|
|
if record.exc_info:
|
|
if not record.exc_text:
|
|
fmt = self.formatter or pylogging.Formatter()
|
|
data['exc_text'] = fmt.formatException(record.exc_info)
|
|
data['exc_info'] = None # drop traceback in favor of exc_text
|
|
|
|
# serialise msg now so we can drop (potentially unserialisable) args
|
|
data['msg'] = record.getMessage()
|
|
data['args'] = ()
|
|
|
|
self.channel.send((None, (comm.Message.LOG, data)))
|
|
|
|
|
|
class _ClientChannel(comm.ClientChannel):
|
|
"""Our protocol, layered on the basic primitives in comm.ClientChannel"""
|
|
|
|
def __init__(self, sock, context):
|
|
self.log = logging.getLogger(context.conf.logger_name)
|
|
super(_ClientChannel, self).__init__(sock)
|
|
self.exchange_ping()
|
|
|
|
def exchange_ping(self):
|
|
try:
|
|
# exchange "ready" messages
|
|
reply = self.send_recv((comm.Message.PING.value,))
|
|
success = reply[0] == comm.Message.PONG
|
|
except Exception as e:
|
|
self.log.exception('Error while sending initial PING to privsep: '
|
|
'%s', e)
|
|
success = False
|
|
if not success:
|
|
msg = _('Privsep daemon failed to start')
|
|
self.log.critical(msg)
|
|
raise FailedToDropPrivileges(msg)
|
|
|
|
def remote_call(self, name, args, kwargs, timeout):
|
|
result = self.send_recv((comm.Message.CALL.value, name, args, kwargs),
|
|
timeout)
|
|
if result[0] == comm.Message.RET:
|
|
# (RET, return value)
|
|
return result[1]
|
|
elif result[0] == comm.Message.ERR:
|
|
# (ERR, exc_type, args)
|
|
#
|
|
# TODO(gus): see what can be done to preserve traceback
|
|
# (without leaking local values)
|
|
exc_type = importutils.import_class(result[1])
|
|
raise exc_type(*result[2])
|
|
else:
|
|
raise ProtocolError(_('Unexpected response: %r') % result)
|
|
|
|
def out_of_band(self, msg):
|
|
if msg[0] == comm.Message.LOG:
|
|
# (LOG, LogRecord __dict__)
|
|
message = {encodeutils.safe_decode(k): v
|
|
for k, v in msg[1].items()}
|
|
record = pylogging.makeLogRecord(message)
|
|
if self.log.isEnabledFor(record.levelno):
|
|
self.log.logger.handle(record)
|
|
else:
|
|
self.log.warning('Ignoring unexpected OOB message from privileged '
|
|
'process: %r', msg)
|
|
|
|
|
|
def fdopen(fd, *args, **kwargs):
|
|
# NOTE(gus): We can't just use os.fdopen() here and allow the
|
|
# regular (optional) monkey_patching to do its thing. Turns out
|
|
# that regular file objects (as returned by os.fdopen) on python2
|
|
# are broken in lots of ways regarding blocking behaviour. We
|
|
# *need* the newer io.* objects on py2 (doesn't matter on py3,
|
|
# since the old file code has been replaced with io.*)
|
|
if eventlet.patcher.is_monkey_patched('socket'):
|
|
return eventlet.greenio.GreenPipe(fd, *args, **kwargs)
|
|
else:
|
|
return io.open(fd, *args, **kwargs)
|
|
|
|
|
|
def _fd_logger(level=logging.WARN):
|
|
"""Helper that returns a file object that is asynchronously logged"""
|
|
read_fd, write_fd = os.pipe()
|
|
read_end = fdopen(read_fd, 'r', 1)
|
|
write_end = fdopen(write_fd, 'w', 1)
|
|
|
|
def logger(f):
|
|
for line in f:
|
|
LOG.log(level, 'privsep log: %s', line.rstrip())
|
|
t = threading.Thread(
|
|
name='fd_logger',
|
|
target=logger, args=(read_end,)
|
|
)
|
|
t.daemon = True
|
|
t.start()
|
|
|
|
return write_end
|
|
|
|
|
|
def replace_logging(handler, log_root=None):
|
|
if log_root is None:
|
|
log_root = logging.getLogger(None).logger # root logger
|
|
for h in log_root.handlers:
|
|
log_root.removeHandler(h)
|
|
log_root.addHandler(handler)
|
|
|
|
|
|
def un_monkey_patch():
|
|
for eventlet_mod_name, func_modules in EVENTLET_LIBRARIES:
|
|
if not eventlet.patcher.is_monkey_patched(eventlet_mod_name):
|
|
continue
|
|
|
|
for name, mod in func_modules():
|
|
patched_mod = sys.modules.get(name)
|
|
orig_mod = eventlet.patcher.original(name)
|
|
for attr_name in mod.__patched__:
|
|
patched_attr = getattr(mod, attr_name, None)
|
|
unpatched_attr = getattr(orig_mod, attr_name, None)
|
|
if patched_attr is not None:
|
|
setattr(patched_mod, attr_name, unpatched_attr)
|
|
|
|
|
|
class ForkingClientChannel(_ClientChannel):
|
|
def __init__(self, context):
|
|
"""Start privsep daemon using fork()
|
|
|
|
Assumes we already have required privileges.
|
|
"""
|
|
|
|
sock_a, sock_b = socket.socketpair()
|
|
|
|
for s in (sock_a, sock_b):
|
|
s.setblocking(True)
|
|
# Important that these sockets don't get leaked
|
|
set_cloexec(s)
|
|
|
|
# Try to prevent any buffered output from being written by both
|
|
# parent and child.
|
|
for f in (sys.stdout, sys.stderr):
|
|
f.flush()
|
|
|
|
if os.fork() == 0:
|
|
# child
|
|
un_monkey_patch()
|
|
|
|
channel = comm.ServerChannel(sock_b)
|
|
sock_a.close()
|
|
|
|
# Replace root logger early (to capture any errors during setup)
|
|
replace_logging(PrivsepLogHandler(channel,
|
|
processName=str(context)))
|
|
|
|
Daemon(channel, context=context).run()
|
|
LOG.debug('privsep daemon exiting')
|
|
os._exit(0)
|
|
|
|
# parent
|
|
|
|
sock_b.close()
|
|
super(ForkingClientChannel, self).__init__(sock_a, context)
|
|
|
|
|
|
class RootwrapClientChannel(_ClientChannel):
|
|
def __init__(self, context):
|
|
"""Start privsep daemon using exec()
|
|
|
|
Uses sudo/rootwrap to gain privileges.
|
|
"""
|
|
|
|
listen_sock = socket.socket(socket.AF_UNIX)
|
|
|
|
# Note we listen() on the unprivileged side, and connect to it
|
|
# from the privileged process. This means there is no exposed
|
|
# attack point on the privileged side.
|
|
|
|
# NB: Permissions on sockets are not checked on some (BSD) Unices
|
|
# so create socket in a private directory for safety. Privsep
|
|
# daemon will (initially) be running as root, so will still be
|
|
# able to connect to sock path.
|
|
tmpdir = tempfile.mkdtemp() # NB: created with 0700 perms
|
|
|
|
try:
|
|
sockpath = os.path.join(tmpdir, 'privsep.sock')
|
|
listen_sock.bind(sockpath)
|
|
listen_sock.listen(1)
|
|
|
|
cmd = context.helper_command(sockpath)
|
|
LOG.info('Running privsep helper: %s', cmd)
|
|
proc = subprocess.Popen(cmd, shell=False, stderr=_fd_logger())
|
|
if proc.wait() != 0:
|
|
msg = ('privsep helper command exited non-zero (%s)' %
|
|
proc.returncode)
|
|
LOG.critical(msg)
|
|
raise FailedToDropPrivileges(msg)
|
|
LOG.info('Spawned new privsep daemon via rootwrap')
|
|
|
|
sock, _addr = listen_sock.accept()
|
|
LOG.debug('Accepted privsep connection to %s', sockpath)
|
|
|
|
finally:
|
|
# Don't need listen_sock anymore, so clean up.
|
|
listen_sock.close()
|
|
try:
|
|
os.unlink(sockpath)
|
|
except OSError as e:
|
|
if e.errno != errno.ENOENT:
|
|
raise
|
|
os.rmdir(tmpdir)
|
|
|
|
super(RootwrapClientChannel, self).__init__(sock, context)
|
|
|
|
|
|
class Daemon(object):
|
|
"""NB: This doesn't fork() - do that yourself before calling run()"""
|
|
|
|
def __init__(self, channel, context):
|
|
self.channel = channel
|
|
self.context = context
|
|
self.user = context.conf.user
|
|
self.group = context.conf.group
|
|
self.caps = set(context.conf.capabilities)
|
|
self.thread_pool = futures.ThreadPoolExecutor(
|
|
context.conf.thread_pool_size)
|
|
self.communication_error = None
|
|
|
|
def run(self):
|
|
"""Run request loop. Sets up environment, then calls loop()"""
|
|
os.chdir("/")
|
|
os.umask(0)
|
|
self._drop_privs()
|
|
self._close_stdio()
|
|
|
|
self.loop()
|
|
|
|
def _close_stdio(self):
|
|
with open(os.devnull, 'w+') as devnull:
|
|
os.dup2(devnull.fileno(), StdioFd.STDIN)
|
|
os.dup2(devnull.fileno(), StdioFd.STDOUT)
|
|
# stderr is left untouched
|
|
|
|
def _drop_privs(self):
|
|
try:
|
|
# Keep current capabilities across setuid away from root.
|
|
capabilities.set_keepcaps(True)
|
|
|
|
if self.group is not None:
|
|
try:
|
|
os.setgroups([])
|
|
except OSError:
|
|
msg = _('Failed to remove supplemental groups')
|
|
LOG.critical(msg)
|
|
raise FailedToDropPrivileges(msg)
|
|
|
|
if self.user is not None:
|
|
setuid(self.user)
|
|
|
|
if self.group is not None:
|
|
setgid(self.group)
|
|
|
|
finally:
|
|
capabilities.set_keepcaps(False)
|
|
|
|
LOG.info('privsep process running with uid/gid: %(uid)s/%(gid)s',
|
|
{'uid': os.getuid(), 'gid': os.getgid()})
|
|
|
|
capabilities.drop_all_caps_except(self.caps, self.caps, [])
|
|
|
|
def fmt_caps(capset):
|
|
if not capset:
|
|
return 'none'
|
|
fc = [capabilities.CAPS_BYVALUE.get(c, str(c))
|
|
for c in capset]
|
|
fc.sort()
|
|
return '|'.join(fc)
|
|
|
|
eff, prm, inh = capabilities.get_caps()
|
|
LOG.info(
|
|
'privsep process running with capabilities '
|
|
'(eff/prm/inh): %(eff)s/%(prm)s/%(inh)s',
|
|
{
|
|
'eff': fmt_caps(eff),
|
|
'prm': fmt_caps(prm),
|
|
'inh': fmt_caps(inh),
|
|
})
|
|
|
|
def _process_cmd(self, msgid, cmd, *args):
|
|
"""Executes the requested command in an execution thread.
|
|
|
|
This executes a call within a thread executor and returns the results
|
|
of the execution.
|
|
|
|
:param msgid: The message identifier.
|
|
:param cmd: The `Message` type indicating the command type.
|
|
:param args: The function, args, and kwargs if a Message.CALL type.
|
|
:return: A tuple of the return status, optional call output, and
|
|
optional error information.
|
|
"""
|
|
if cmd == comm.Message.PING:
|
|
return (comm.Message.PONG.value,)
|
|
|
|
try:
|
|
if cmd != comm.Message.CALL:
|
|
raise ProtocolError(_('Unknown privsep cmd: %s') % cmd)
|
|
|
|
# Extract the callable and arguments
|
|
name, f_args, f_kwargs = args
|
|
func = importutils.import_class(name)
|
|
if not self.context.is_entrypoint(func):
|
|
msg = _('Invalid privsep function: %s not exported') % name
|
|
raise NameError(msg)
|
|
|
|
ret = func(*f_args, **f_kwargs)
|
|
return (comm.Message.RET.value, ret)
|
|
except Exception as e:
|
|
LOG.debug(
|
|
'privsep: Exception during request[%(msgid)s]: '
|
|
'%(err)s', {'msgid': msgid, 'err': e}, exc_info=True)
|
|
cls = e.__class__
|
|
cls_name = '%s.%s' % (cls.__module__, cls.__name__)
|
|
return (comm.Message.ERR.value, cls_name, e.args)
|
|
|
|
def _create_done_callback(self, msgid):
|
|
"""Creates a future callback to receive command execution results.
|
|
|
|
:param msgid: The message identifier.
|
|
:return: A future reply callback.
|
|
"""
|
|
channel = self.channel
|
|
|
|
def _call_back(result):
|
|
"""Future execution callback.
|
|
|
|
:param result: The `future` execution and its results.
|
|
"""
|
|
try:
|
|
reply = result.result()
|
|
LOG.debug('privsep: reply[%(msgid)s]: %(reply)s',
|
|
{'msgid': msgid, 'reply': reply})
|
|
channel.send((msgid, reply))
|
|
except IOError:
|
|
self.communication_error = sys.exc_info()
|
|
except Exception as e:
|
|
LOG.debug(
|
|
'privsep: Exception during request[%(msgid)s]: '
|
|
'%(err)s', {'msgid': msgid, 'err': e}, exc_info=True)
|
|
cls = e.__class__
|
|
cls_name = '%s.%s' % (cls.__module__, cls.__name__)
|
|
reply = (comm.Message.ERR.value, cls_name, e.args)
|
|
try:
|
|
channel.send((msgid, reply))
|
|
except IOError as exc:
|
|
self.communication_error = exc
|
|
|
|
return _call_back
|
|
|
|
def loop(self):
|
|
"""Main body of daemon request loop"""
|
|
LOG.info('privsep daemon running as pid %s', os.getpid())
|
|
|
|
# We *are* this context now - any calls through it should be
|
|
# executed locally.
|
|
self.context.set_client_mode(False)
|
|
|
|
for msgid, msg in self.channel:
|
|
error = self.communication_error
|
|
if error:
|
|
if error.errno == errno.EPIPE:
|
|
# Write stream closed, exit loop
|
|
break
|
|
raise error
|
|
|
|
# Submit the command for execution
|
|
future = self.thread_pool.submit(self._process_cmd, msgid, *msg)
|
|
future.add_done_callback(self._create_done_callback(msgid))
|
|
|
|
LOG.debug('Socket closed, shutting down privsep daemon')
|
|
|
|
|
|
def helper_main():
|
|
"""Start privileged process, serving requests over a Unix socket."""
|
|
|
|
cfg.CONF.register_cli_opts([
|
|
cfg.StrOpt('privsep_context', required=True),
|
|
cfg.StrOpt('privsep_sock_path', required=True),
|
|
])
|
|
|
|
logging.register_options(cfg.CONF)
|
|
|
|
cfg.CONF(args=sys.argv[1:], project='privsep')
|
|
# note replace_logging call below
|
|
try:
|
|
logging.setup(cfg.CONF, 'privsep', fix_eventlet=False)
|
|
except TypeError:
|
|
# NOTE(ralonsoh): in case of using oslo.log<5.0.2, kwarg
|
|
# "fix_eventlet" won't be defined. Remove this try clause when oslo.log
|
|
# is bumped.
|
|
logging.setup(cfg.CONF, 'privsep')
|
|
|
|
context = importutils.import_class(cfg.CONF.privsep_context)
|
|
from oslo_privsep import priv_context # Avoid circular import
|
|
if not isinstance(context, priv_context.PrivContext):
|
|
LOG.fatal('--privsep_context must be the (python) name of a '
|
|
'PrivContext object')
|
|
|
|
sock = socket.socket(socket.AF_UNIX)
|
|
sock.connect(cfg.CONF.privsep_sock_path)
|
|
set_cloexec(sock)
|
|
channel = comm.ServerChannel(sock)
|
|
|
|
# Channel is set up, so fork off daemon "in the background" and exit
|
|
if os.fork() != 0:
|
|
# parent
|
|
return
|
|
|
|
# child
|
|
|
|
# Note we don't move into a new process group/session like a
|
|
# regular daemon might, since we _want_ to remain associated with
|
|
# the originating (unprivileged) process.
|
|
|
|
# Channel is set up now, so move to in-band logging
|
|
replace_logging(PrivsepLogHandler(channel))
|
|
|
|
LOG.info('privsep daemon starting')
|
|
|
|
try:
|
|
Daemon(channel, context).run()
|
|
except Exception as e:
|
|
LOG.exception(e)
|
|
sys.exit(str(e))
|
|
|
|
LOG.debug('privsep daemon exiting')
|
|
sys.exit(0)
|
|
|
|
|
|
if __name__ == '__main__':
|
|
helper_main()
|