Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Drop privileges to user pelican if requested #1850

Merged
merged 8 commits into from
Feb 18, 2025
Merged

Drop privileges to user pelican if requested #1850

merged 8 commits into from
Feb 18, 2025

Conversation

bbockelm
Copy link
Collaborator

This drafts out an approach to having the pelican server process run unprivileged after initial startup. Components:

  1. This is enabled/disabled by configuration parameters, Server.DropPrivileges and currently defaults to false.
  2. The configuration now tracks a new user object, the "Pelican" user (defaulting to pelican). This represents the target daemon user the process will be run as once the permissions are dropped.
  3. The beginnings of marking the various configuration & runtime directories/files of the service as belonging to the pelican user.
  4. Infrastructure to signal to the xrootd process to either send itself a signal or make a copy of the file descriptor.
  5. Image build infrastructure for the new plugin. To make the final PR smaller, this item could be pulled out into a separate PR.
  6. Finally, actually dropping the privileges to the pelican user after launch is almost complete.

TODO items:

  • Open a separate issue to handle the RPM-side of the changes. We've now grown a new dependency on an XRootD plugin and need to get the OSG packaging in a similar condition.
  • Actually test the signaling between pelican and the new xrootd plugin. I'm simply showing this as the draft of the approach so it can be handed off to @h2zh. I expect this is going to need bugfixes.
  • More thorough investigation of file ownership.
  • Write a unit test that, when run as root, will fork off a separate process and run a "federation in a box" with drop privileges enabled. Check the functionality of host certificate updates, shutdown signaling, and the ownership of directories is as expected.

@bbockelm bbockelm added critical High priority for next release cache Issue relating to the cache component origin Issue relating to the origin component director Issue relating to the director component registry Issue relating to the registry component security labels Dec 23, 2024
@bbockelm bbockelm added this to the v7.13.0 milestone Dec 23, 2024
@bbockelm bbockelm mentioned this pull request Dec 23, 2024
Closed
matyasselmeci
matyasselmeci reviewed Dec 26, 2024
View reviewed changes
@h2zh
Copy link
Collaborator

h2zh commented Jan 18, 2025
edited
Loading

Update: the following action was not a suitable approach. The content of that PR was converted to a commit in this drop_privs branch.
I created a PR bbockelm#1 to merge the unit test to bbockelm:drop_privs

@h2zh h2zh linked an issue Jan 18, 2025 that may be closed by this pull request
Drop privileges in API server #1227
Closed
7 tasks
@jhiemstrawisc jhiemstrawisc modified the milestones: v7.13.0, v7.14 Jan 30, 2025
@h2zh h2zh force-pushed the drop_privs branch 4 times, most recently from 7b50e31 to b7f0e8f Compare February 7, 2025 21:22
@h2zh h2zh force-pushed the drop_privs branch 2 times, most recently from 28f39fb to 5bc8526 Compare February 11, 2025 22:16
bbockelm and others added 5 commits February 12, 2025 22:40
@bbockelm @h2zh
Add new config infrastructure for dropping to pelican user
104e945 
This introduces new parameters for dropping to a lower-privileged
`pelican` user when running as root and the first round of directory
ownership changes.

The goal is that, when run as root and drop-priv is enabled, all
Pelican directories and config files are owned by the pelican user.
Otherwise, they'll continue to be owned as root.
@bbockelm @h2zh
When dropping privileges, enable and use the xrdhttp-pelican plugin
8c4ad55 
The plugin provides a means for an unprivileged process (namely, `pelican`)
to request xrootd send itself a signal via a Unix socket and to copy
the host cert via a sent file descriptor.

This refactors the launcher kill logic so the plugin can be used instead
of the traditional signal-based approach.
@bbockelm @h2zh
If needed, drop privileges to pelican after startup of server
29409f4
@h2zh
Unit test for dropping privilege signaling
7da632e
@h2zh
fix loopholes in dir/file permissions setting and linter errors
c71386d
@h2zh h2zh force-pushed the drop_privs branch 2 times, most recently from a4af670 to 4c2e766 Compare February 14, 2025 16:44
@Saartank Saartank mentioned this pull request Feb 14, 2025
Open
Saartank
Saartank reviewed Feb 17, 2025
View reviewed changes
@h2zh h2zh merged commit 3ae700e into PelicanPlatform:main Feb 18, 2025
26 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matyasselmeci matyasselmeci matyasselmeci left review comments

@h2zh h2zh h2zh left review comments

@Saartank Saartank Saartank approved these changes

Assignees

@h2zh h2zh

Labels
cache Issue relating to the cache component critical High priority for next release director Issue relating to the director component origin Issue relating to the origin component registry Issue relating to the registry component security
Projects
None yet
Milestone
v7.14
Development

Successfully merging this pull request may close these issues.

Drop privileges in API server
5 participants
@bbockelm @h2zh @matyasselmeci @Saartank @jhiemstrawisc