Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict config write access #322

Closed
kingpong opened this issue Jun 2, 2016 · 7 comments
Closed

Restrict config write access #322

kingpong opened this issue Jun 2, 2016 · 7 comments

Comments

@kingpong
Copy link

kingpong commented Jun 2, 2016

The consul cookbook makes the Consul config writable by the same user that runs the service, which is unnecessary and could be an attack vector. Would you accept a pull request which adds a couple new attributes and uses them for the ownership of /etc/consul?

default['consul']['config_owner'] = 'consul'  # allows overriding with 'root' in wrapper
default['consul']['config_group'] = 'consul'
@johnbellone
Copy link
Contributor

Perhaps we simply remove the attributes passing through in the default recipe (on this resource) and rely on the defaults. If you want to change to root/root you can override the config hash?

@kingpong
Copy link
Author

kingpong commented Jun 2, 2016

Ah! That didn't even occur to me. I think that's a great solution.

@kingpong
Copy link
Author

kingpong commented Jun 2, 2016

I may have spoke too soon. The conf.d directory is actually created by consul_service, not consul_config which means it is owned by the service user. Does conf.d need to be writable by the service user? If not, it could be moved into consul_config and belong to node['consul']['config']['owner'].

@johnbellone
Copy link
Contributor

I think it makes sense to move that directory and set permissions accordingly.

kingpong pushed a commit to kingpong/consul-cookbook that referenced this issue Jun 4, 2016
@pgarrett-twc
Prevent consul from writing its own config
a5e2516 
This fixes issue sous-chefs#322.

The consul cookbook makes the Consul config writable by the same user
that runs the service, which is unnecessary and could be an attack
vector. This commit allows the user to specify a different set of
permissions for the configuration directories (/etc/consul) than for the
runtime data directory (/var/lib/consul).

The config owner still defaults to 'consul' since changing it to root is
a breaking change.
This was referenced Jun 4, 2016
Merged
Merged
@kingpong
Copy link
Author

kingpong commented Jul 3, 2016

Fixed in #323 and #324.

@kingpong kingpong closed this as completed Jul 3, 2016
@nidhishopback
Copy link

Hi,

I am facing an issue related to config file permissions. I have overridden the default user of config and service to 'root' in wrapper cookbook :

override['consul']['config']['owner'] = 'root'
override['consul']['config']['group'] = 'root'
override['consul']['service_user'] = 'root'
override['consul']['service_group'] = 'root'

Still, on running chef-client, it looks for consul user to add a service config :(

* file[/etc/consul/conf.d/chef-client.json] action create
      * cannot determine user id for 'consul', does the user exist on this system?
      ================================================================================
      Error executing action `create` on resource 'file[/etc/consul/conf.d/chef-client.json]'
      ================================================================================

      Chef::Exceptions::UserIDNotFound
      --------------------------------
      cannot determine user id for 'consul', does the user exist on this system?

Can you please suggest what I am missing here to have my config files owned by root?

@lock
Copy link

lock bot commented Apr 25, 2020

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked as resolved and limited conversation to collaborators Apr 25, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kingpong @johnbellone @nidhishopback