Revision 20405aeb
b/doc/design-2.2.rst | ||
---|---|---|
687 | 687 |
requirements. |
688 | 688 |
|
689 | 689 |
|
690 |
Privilege separation |
|
691 |
~~~~~~~~~~~~~~~~~~~~ |
|
692 |
|
|
693 |
Current state and shortcomings |
|
694 |
++++++++++++++++++++++++++++++ |
|
695 |
|
|
696 |
All Ganeti daemons are run under the user root. This is not ideal from a |
|
697 |
security perspective as for possible exploitation of any daemon the user |
|
698 |
has full access to the system. |
|
699 |
|
|
700 |
In order to overcome this situation we'll allow Ganeti to run its daemon |
|
701 |
under different users and a dedicated group. This also will allow some |
|
702 |
side effects, like letting the user run some ``gnt-*`` commands if one |
|
703 |
is in the same group. |
|
704 |
|
|
705 |
Implementation |
|
706 |
++++++++++++++ |
|
707 |
|
|
708 |
For Ganeti 2.2 the implementation will be focused on a the RAPI daemon |
|
709 |
only. This involves changes to ``daemons.py`` so it's possible to drop |
|
710 |
privileges on daemonize the process. Though, this will be a short term |
|
711 |
solution which will be replaced by a privilege drop already on daemon |
|
712 |
startup in Ganeti 2.3. |
|
713 |
|
|
714 |
It also needs changes in the master daemon to create the socket with new |
|
715 |
permissions/owners to allow RAPI access. There will be no other |
|
716 |
permission/owner changes in the file structure as the RAPI daemon is |
|
717 |
started with root permission. In that time it will read all needed files |
|
718 |
and then drop privileges before contacting the master daemon. |
|
719 |
|
|
720 |
|
|
690 | 721 |
Feature changes |
691 | 722 |
--------------- |
692 | 723 |
|
Also available in: Unified diff