Drop privileges when running commands

Drop privileges to a regular user when running commands defined by this snap. In most cases this is done prior to executing the command. NGINX is an exception in that the command will be run as root, allowing the the master process to bind to ports. The nginx.conf template is configured to then drop privileges for worker processes, which do all work, such as handling network connections, r/w to disk, and communication with servers. Change-Id: If9bf24fc65412b90b8b1890944a469de23888c32
2017-05-15 14:50:07 +00:00 · 2017-05-15 14:50:07 +00:00 · c10ad0d9eb
parent e1ddca5d4e
commit c10ad0d9eb
4 changed files with 20 additions and 8 deletions
--- a/snap/snap-openstack.yaml
+++ b/snap/snap-openstack.yaml
@ -1,25 +1,33 @@
 setup:
+  users:
+    snap-keystone: [snap-keystone]
+  default-owner: "root:snap-keystone"
  dirs:
+    - "{snap_common}/etc"
    - "{snap_common}/etc/keystone"
    - "{snap_common}/etc/keystone/conf.d"
-    - "{snap_common}/etc/keystone/fernet-keys"
    - "{snap_common}/etc/nginx"
    - "{snap_common}/etc/uwsgi"
+    - "{snap_common}/fernet-keys"
    - "{snap_common}/lib"
    - "{snap_common}/lock"
    - "{snap_common}/log"
    - "{snap_common}/run"
  templates:
-    keystone-snap.conf.j2: "{snap_common}/etc/keystone/conf.d/keystone-snap.conf"
    admin.ini.j2: "{snap_common}/etc/uwsgi/admin.ini"
-    public.ini.j2: "{snap_common}/etc/uwsgi/public.ini"
    keystone-nginx.conf.j2: "{snap_common}/etc/nginx/sites-enabled/keystone.conf"
-    # NOTE(coreycb): drop root from nginx.conf template when support lands for
-    # dropping permissions to regular user.
+    keystone-snap.conf.j2: "{snap_common}/etc/keystone/conf.d/keystone-snap.conf"
    nginx.conf.j2: "{snap_common}/etc/nginx/nginx.conf"
+    public.ini.j2: "{snap_common}/etc/uwsgi/public.ini"
  copyfiles:
    "{snap}/etc/keystone": "{snap_common}/etc/keystone"
    "{snap}/usr/conf": "{snap_common}/etc/nginx"
+  rchown:
+    "{snap_common}/fernet-keys": "snap-keystone:snap-keystone"
+    "{snap_common}/lib": "snap-keystone:snap-keystone"
+    "{snap_common}/lock": "snap-keystone:snap-keystone"
+    "{snap_common}/log": "snap-keystone:snap-keystone"
+    "{snap_common}/run": "snap-keystone:snap-keystone"
 entry_points:
  keystone-manage:
    binary: "{snap}/bin/keystone-manage"
@ -27,10 +35,14 @@ entry_points:
      - "{snap_common}/etc/keystone/keystone.conf"
    config-dirs:
      - "{snap_common}/etc/keystone/conf.d"
+    run-as:
+      snap-keystone: [snap-keystone]
  keystone-uwsgi:
    type: uwsgi
    uwsgi-dir: "{snap_common}/etc/uwsgi"
    log-file: "{snap_common}/log/uwsgi.log"
+    run-as:
+      snap-keystone: [snap-keystone]
  keystone-nginx:
    type: nginx
    config-file: "{snap_common}/etc/nginx/nginx.conf"
--- a/snap/templates/keystone-snap.conf.j2
+++ b/snap/templates/keystone-snap.conf.j2
@ -8,4 +8,4 @@ lock_path = {{ snap_common }}/lock

 [fernet_tokens]
 # Fernet key repository
-key_repository = {{ snap_common }}/etc/fernet-keys
+key_repository = {{ snap_common }}/fernet-keys
--- a/snap/templates/nginx.conf.j2
+++ b/snap/templates/nginx.conf.j2
@ -1,4 +1,4 @@
-user root;
+user snap-keystone snap-keystone;
 worker_processes auto;
 pid {{ snap_common }}/run/nginx.pid;

--- a/snapcraft.yaml
+++ b/snapcraft.yaml
@ -73,7 +73,7 @@ parts:
        - etc/keystone/*.json
        - etc/keystone/*.templates
    stage: [$etc]
-    snap: [$etc]
+    prime: [$etc]
  nginx:
    source: http://www.nginx.org/download/nginx-1.13.0.tar.gz
    plugin: autotools