use DynamicUser=yes for all cockpit components #16811
Draft
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
allisonkarlitskaya
added
the
blocked
|
I filed systemd/systemd#23067 to start the discussion. |
This was referenced Jan 3, 2023
|
Rebased after the rebasing of #16808 and the recent heavy changes to sysuser management. Locally this at least works for a simple local session, let's see if there's any fallout beyond what's already in #16808.
I didn't port this bit yet, let's do that step separately. We have much more freedom to change this once everything is a DynamicUser. |
martinpitt
added
the
no-test
|
Cool -- the test failures are by and large the same as in #16808. Just the unit lifecycle test fails in addition, but that'll be straightforward to fix -- and indeed we should adjust this some more to check proper cleanup after stopping. |
|
xref containers/bootc#870 too here |
Stop failing with "didn't receive expected authorize message", as that's confusing -- the user did nothing wrong. Instead, silently exit successfully, and let cockpit-ws handle the timeout. This is mostly occurring when enabling Negotiate (kerberos) authentication, and thus cockpit-ws always starts *two* cockpit-session attempts (one for Negotiate, one for PAM), like in TestIPA.testQualifiedUsers.
This makes it easier for callers to treat the reply as textual string. The only remaining user is cockpit-session, where we will need this behaviour in the following commit.
We want to parse more fields than just "response" from the authorize message in the message. So remove the very rigidly harcoded parsing in `read_authorize_response()` and let it return the whole JSON string instead. Add a new `get_authorize_key()` function that parses a single value from that, and adjust the callers accordingly. This is a very restricted parser to keep things simple: No spaces in the structure, and no escaping. We can assume all that as cockpit-ws sends very controlled messages, and '"' isn't used in base64 values. In the worst case we get a truncated value, which will just fail authentication. Localize some variables while we are at it.
Drop the duplicated (but not identical!) implementation of `read_authorize_response()` and use the real implementation.
Run socket-activated cockpit-session with correct context. By default it is `init_t`, but that will produce a memfd with the wrong permissions, which the session cannot read. Allow cockpit-ws to connect to /run/cockpit/session. Allow restricted user_t and sysadm_t sessions to communicate (but not connect) to cockpit-ws through the session unix socket. (Covered by TestLogin.testSELinuxRestrictedUser)
…codes cockpit-session exits with 5 on authentication failures, including `authentication-unavailable`; or with 127 on authentication timeouts. These aren't a reason to mark the unit as failed.
The point of this is really to determine the cgroup of our caller, i.e. the cockpit-ws process. With [email protected] this is different than cockpit-session's own cgroup. Rename the variables to clarify this.
If cockpit-ws directly spawns cockpit-session, it can process the 127 exit code by itself. But there is no exit code if that happens via unix socket. Check this condition explicitly and report `no-cockpit` via the protocol. This triggers a more specific error path in cockpit-ws and the login page, adjust TestConnection.testBasic accordingly.
The test idles on the login page for more than the 60s authorize timeout. When running cockpit-session via unix socket, this causes some unsightly "session timed out during authentication" messages. This ought to be handled better in cockpit-ws, but for the time being ignore these messages.
The various perform_*() functions all assume a non-NULL rhost, as several functions such as `btmp_log()` do unchecked strncpy() on them. Add assertions to (1) make them fail more gracefully and usefully), and (2) document that requirement more explicitly. This is currently guaranteed by having an explicit fallback to `""` if `$COCKPIT_REMOTE_PEER` isn't set.
cockpit_session_launch() doesn't set this env if the remote host is unknown. That is never the case in practice at least in our tests, but callers should still be aware of it.
Passing the remote peer from ws to cockpit-session via the `$COCKPIT_REMOTE_PEER` environment variable does not work in unix socket mode. So make that part of the protocol instead and attach it to the authorize response.
When cockpit-session's stdin is a Unix socket, it is being spawned by cockpit-ws through [email protected]. In that case it doesn't make sense to look at its own cgroup, but we need to check the cgroup of the socket peer (i.e. cockpit-ws). We must guard against PID recycling attacks: 1. Eve logs into cockpit, gets ws pid E, and hacks ws: connect to session, forks, keeps the session fd in a different process, and kills pid E. 3. Eve waits until Alice logs in again and happens to get ws pid E (which can happen with a sufficient number of forks, social engineering, and some luck). cockpit-session checks that pid E is in cgroup /cockpit/alice, and starts an alice session for Eve's ws. (Note: SO_PEERCRED gives you pid/uid/gid at the time connect() was made.) Thus require that the peer (ws) must have started earlier than cockpit-session. This is the same approach that polkit uses as a fallback if pidfds are not available: https://github.com/polkit-org/polkit/blob/main/src/polkit/polkitunixprocess.c Note that pidfds don't help us: There is no API to directly get from a pidfd to a cgroup, startup time, or /proc/<pid> dirfd, this has to happen via `pidfd_getpid()` and opening /proc/pid. But that's exactly what we want to avoid, and thus is pointless (they are also only available since kernel 6.5).
ws times out the authorization attempt after one minute (`cockpit_ws_auth_response_timeout`). Introduce a similar timeout on the session side. This makes PID recycling attacks harder, as their victim now has to log in within one minute.
Unless it's otherwise specified in the configuration file, we now spawn cockpit-session by connecting to /run/cockpit/session if that exists. Fall back to calling cockpit-session directly for custom setups. We leave the cockpit_ws_session_program variable in place to allow the tests to override things. Update the unit files for cockpit-ws to ensure that the socket is available when cockpit-ws is running. Adjust TestConnection.testBasic accordingly: When running cockpit-session via unix socket activation, its group permissions are irrelevant. More thoroughly move the binary away and also disable the socket, to fail both of cockpit-ws' session creation attempts. Co-Authored-By: Martin Pitt <[email protected]>
systemd spawns this for us now, so we don't need the setuid bit anymore. Clean up the statoverride in the Debian packaging on upgrades. However, that means that cockpit-ws cannot be run as `cockpit-wsinstance` user outside of the unit any more. Adjust our tests to run it as root instead.
12 tasks
Unfortunately, socket units can't set DynamicUser=yes, so add a dependency on a separate .service created just for this purpose. /run/cockpit/session is now owned by group cockpit-session-socket which also gets added as a supplementary group to the cockpit-ws units.
martinpitt
force-pushed
the
dynamic-users
branch
from
4752cca
to
e0fcb87
Compare
|
I want to see this all in action, the "look ma! no static users!" hands-free operation. I rebased/unconflicted this on top of current #16808, and fixed it up a little bit. |
Similar to the last commit, we create a dynamic group for the sockets in /run/cockpit/wsinstance and add a supplementary group to cockpit-tls.
We only dynamically generate a single .socket file now. The rest of them are in version control and installed verbatim.
Co-Authored-By: Martin Pitt <[email protected]>
martinpitt
force-pushed
the
dynamic-users
branch
from
e0fcb87
to
cd54812
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Switch over to systemd allocating user IDs for us dynamically, dropping our static users.
We create these users dynamically:
cockpit-session-socketis the group owner of/run/cockpit/sessioncockpit-wsinstance-socketis the group owner of all sockets in/run/cockpit/wsinstance/cockpit-tlsgets its own usercockpit-wsinstance-http{,s@}.serviceeach get a user. In this case, I think the separate https instances even each get a separate user.Right now it's not working. There seem to be quite some edge cases, particularly involving the use of
DynamicUserin combination withSupplementaryGroup. Also, the approach to using virtual services to create the dynamic user is really strange.I feel like we maybe shouldn't proceed here until we get better support for this from systemd.