Run the application as a non root user

[agrare]

A highly effective approach to mitigating security attacks by users via the API or UI is to run the application as an unprivileged user. This means that even if a vulnerability is exploited it is not possible to get root access to the machine.

Phases:

• convert over to systemd as non-root compliant
  • convert dynamic configurations to static ones Add static systemd unit files for workers #20983
  • update rpm Copy systemd unit files from plugin repos manageiq-rpm_build#134
  • optional: in systemd make apache start automatically from ui and api workers process Declare httpd a requirement dependency of UI and API workers #21325
  • optional: boot memcached as systemd Declare memcached as a dependency for evmserverd manageiq-appliance#321
• convert core components across to non-root [mostly service definitions and disk privileges]
  • priority, event, generic, reporting, schedule, api, ui-classic create manageiq user and fix directories manageiq-rpm_build#157
  • secure database.yml, secrets.yml, v2_key lock down all configuration files with passwords #21295
    • Resources owned by user manageiq for non-root appliances manageiq-rpm_build#161
  • run other components as root.manageiq create manageiq user and fix directories manageiq-rpm_build#157
  • remote consoles running as non-root
• convert providers across to non-root [mostly systemd service definitions]
  • metrics, event catcher, refresh Run provider services as user manageiq #21323
  • remove special privileges to run memcached
  • support not over-writing the descent loader cache
    • Don't update the sti_loader.yml in production #21321
    • Return descendent loader cache to regular privs manageiq-rpm_build#173
• convert pod issues to be security friendly ref [re-architecting]
  • evm-watchdog
    • hotfixes Red Hat Updates tab available upstream #5547
    • introduce one shot service to verify database is running. (Replace evm-watchdog with manageiq-db-ready manageiq-appliance#327)
  • embedded ansible runs as manageiq user add prod dirs via .gitkeep #21355
    • Use default HOME #21362
    • Return descendent loader cache to regular privs manageiq-rpm_build#173
  • remove cockpit Remove cockpit console support #21378

[kbrock]

moved to OP

[agrare]

smartstate

mount block devices

Technically only RHV requires this, not all smartstate. In addition to reading raw block devices it has to mount nfs shares (also requires root)

[agrare]

We use file permissions for our DRb unix sockets in /tmp, if we end up with e.g. miq_server running as root we might need to create the socket as the same user the rest of the workers are running as

[chessbyte]

If we are to support RHV SmartState, it may be cleaner to extract the mounting and reading into a separate service/worker with the appropriate privileges and expose an API for the caller to use. Not saying this is easy, but probably the right direction to isolate interfaces to mount.

[kbrock]

I like adding a socket to communicate with the disk.

I'm hoping that we can come up with a solution that makes these parts of the product more container friendly.

[kbrock]

I am moving this comment lower to not distract from the TODO list:

To work with containers, we have already defined the privileges needed to run our application. So the job ahead is mostly porting the Kubernetes/OpenShift privileges to SELinux. The MiqServer process running on the VMware appliance also acts as a distributed orchestrator, so this requires adding systemd privileges similar to the ones defined in the Kubernetes privilege profile.

Since the webapp is the closest to the end users, it is most vulnerable to attacks and needs to be the most restricted. All privileges required by the webapp are also required by the other roles. It is possible that as we discover more, we may be able to merge some of the roles.

Our app has 4 roles with different required privileges:

• webapp (and all others)
  • read v2_key
  • write to logs
  • read database config and settings
• orchestrator
  • enable and disable services.
• smartstate
  • mount block devices
• admin
  • appliance_console
  • change configuration files
  • install rpms
  • ssh to the box

[Fryguy]

I know it's briefly mentioned in #21295 for the database.yml part, but ha-admin also seems to write to the evm.log, which probably affects your logger problem? I'd be ok if that became a dedicated log file:

manageiq/lib/evm_database.rb

Line 170 in ffe06f3

ManageIQ::PostgresHaAdmin.logger = Vmdb.logger

[Fryguy]

Changed the title slightly so I can search the word "root" on the projects board 😆

[agrare]

We're so close to closing this out, propose that we move "Stop Logging to Files" out of this issue, we already resolved the "workers have to run as root in order to write to log files" with having these owned by manageiq:manageiq with 0660

We already have a separate issue for #21004 we can add that to the roadmap targeting Oparin

[chessbyte]

@agrare I can move that out. What about the 2 items under SSL database as non-root? If these are close, I would like to get them across the finish line, otherwise will push to Oparin.

[agrare]

@chessbyte I'm not sure about those, we did have to revert ManageIQ/manageiq-appliance#341 since it was causing us to not be able to connect to the database. Maybe @kbrock can correct me but that section looks further than closer to being done

[chessbyte]

Split off SSL Database as non-Root to #21722