Revision 20405aeb
| b/doc/design-2.2.rst | ||
|---|---|---|
| 687 | 687 |
requirements. |
| 688 | 688 |
|
| 689 | 689 |
|
| 690 |
Privilege separation |
|
| 691 |
~~~~~~~~~~~~~~~~~~~~ |
|
| 692 |
|
|
| 693 |
Current state and shortcomings |
|
| 694 |
++++++++++++++++++++++++++++++ |
|
| 695 |
|
|
| 696 |
All Ganeti daemons are run under the user root. This is not ideal from a |
|
| 697 |
security perspective as for possible exploitation of any daemon the user |
|
| 698 |
has full access to the system. |
|
| 699 |
|
|
| 700 |
In order to overcome this situation we'll allow Ganeti to run its daemon |
|
| 701 |
under different users and a dedicated group. This also will allow some |
|
| 702 |
side effects, like letting the user run some ``gnt-*`` commands if one |
|
| 703 |
is in the same group. |
|
| 704 |
|
|
| 705 |
Implementation |
|
| 706 |
++++++++++++++ |
|
| 707 |
|
|
| 708 |
For Ganeti 2.2 the implementation will be focused on a the RAPI daemon |
|
| 709 |
only. This involves changes to ``daemons.py`` so it's possible to drop |
|
| 710 |
privileges on daemonize the process. Though, this will be a short term |
|
| 711 |
solution which will be replaced by a privilege drop already on daemon |
|
| 712 |
startup in Ganeti 2.3. |
|
| 713 |
|
|
| 714 |
It also needs changes in the master daemon to create the socket with new |
|
| 715 |
permissions/owners to allow RAPI access. There will be no other |
|
| 716 |
permission/owner changes in the file structure as the RAPI daemon is |
|
| 717 |
started with root permission. In that time it will read all needed files |
|
| 718 |
and then drop privileges before contacting the master daemon. |
|
| 719 |
|
|
| 720 |
|
|
| 690 | 721 |
Feature changes |
| 691 | 722 |
--------------- |
| 692 | 723 |
|
Also available in: Unified diff