From 3cb96f1b67d31c2c9ad586562b3472bd7e2e8c59 Mon Sep 17 00:00:00 2001 From: Dmitry Tantsur Date: Tue, 11 Jan 2022 12:22:11 +0100 Subject: [PATCH] Tighten permissions for PXE directories Make the HTTP directory not world readable by default. Images may contain secrets, so regular users should not read them. Add nginx and dnsmasq to the ironic group so that they can read ironic files that are group accessible. Change-Id: Iaa8585fb48e5db6c0d5063dca0d84c9d2300f0c9 --- .../bifrost-ironic-install/defaults/main.yml | 1 + .../tasks/bootstrap.yml | 22 ++++++++++++++----- .../tasks/create_tftpboot.yml | 20 +++++++++++++++-- .../tasks/inspector_bootstrap.yml | 2 +- releasenotes/notes/perm-8b4236c6eddf1f1f.yaml | 5 +++++ scripts/collect-test-info.sh | 6 ++--- 6 files changed, 45 insertions(+), 11 deletions(-) create mode 100644 releasenotes/notes/perm-8b4236c6eddf1f1f.yaml diff --git a/playbooks/roles/bifrost-ironic-install/defaults/main.yml b/playbooks/roles/bifrost-ironic-install/defaults/main.yml index bfe435009..bb56e4075 100644 --- a/playbooks/roles/bifrost-ironic-install/defaults/main.yml +++ b/playbooks/roles/bifrost-ironic-install/defaults/main.yml @@ -11,6 +11,7 @@ fast_track: true tftp_boot_folder: /tftpboot http_boot_folder: /var/lib/ironic/httpboot +boot_folder_permissions: "0750" ironic_tftp_master_path: /var/lib/ironic/master_images staging_drivers_include: false file_url_port: "8080" diff --git a/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml b/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml index f557dd176..7a1d9bca3 100644 --- a/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml +++ b/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml @@ -102,10 +102,21 @@ - name: "Create an ironic service group" group: name: "ironic" + - name: "Create an ironic service user" user: name: "ironic" group: "ironic" + +- name: "Add nginx and dnsmasq to the ironic group" + user: + name: "{{ item }}" + groups: "ironic" + append: yes + loop: + - "{{ nginx_user }}" + - dnsmasq + - name: "Ensure /etc/ironic exists" file: name: "/etc/ironic" @@ -113,6 +124,7 @@ owner: "ironic" group: "ironic" mode: 0755 + # Note(TheJulia): The rootwrap copies will need to be re-tooled # to possibly directly retreive current files if a source install # is not utilized. @@ -261,8 +273,8 @@ file: path: "{{ dnsmasq_additional_hostsdir }}" state: directory - owner: "root" - group: "root" + owner: "dnsmasq" + group: "ironic" mode: 0755 when: dnsmasq_additional_hostsdir is defined @@ -270,8 +282,8 @@ file: path: "{{ dnsmasq_dhcp_hostsdir }}" state: directory - owner: "root" - group: "root" + owner: "dnsmasq" + group: "ironic" mode: 0755 - name: "Retrieve interface IP informations" @@ -392,7 +404,7 @@ state: directory mode: 0750 owner: "ironic" - group: "{{ nginx_user }}" + group: "ironic" loop: - "/var/lib/ironic" - "/var/lib/ironic/master_images" diff --git a/playbooks/roles/bifrost-ironic-install/tasks/create_tftpboot.yml b/playbooks/roles/bifrost-ironic-install/tasks/create_tftpboot.yml index 0027342f7..7a0e6ef71 100644 --- a/playbooks/roles/bifrost-ironic-install/tasks/create_tftpboot.yml +++ b/playbooks/roles/bifrost-ironic-install/tasks/create_tftpboot.yml @@ -15,11 +15,27 @@ --- # TODO(TheJulia): The pxelinux folder is statically coded in ironic. # For now, we need to use it, but we can patch that. -- name: "Set up PXE and iPXE folders" - file: name={{ item }} owner=ironic group=ironic state=directory mode=0755 +- name: "Set up PXE folders" + file: + name: "{{ item }}" + owner: ironic + group: ironic + state: directory + # FIXME(dtantsur): dnsmasq cannot work if the files are not world readable + # or owned by it, I don't understand why. + mode: 0755 loop: - "{{ tftp_boot_folder }}" - "{{ tftp_boot_folder }}/pxelinux.cfg" + +- name: "Set up HTTP folders" + file: + name: "{{ item }}" + owner: ironic + group: ironic + state: directory + mode: "{{ boot_folder_permissions }}" + loop: - "{{ http_boot_folder }}" - "{{ http_boot_folder }}/pxelinux.cfg" diff --git a/playbooks/roles/bifrost-ironic-install/tasks/inspector_bootstrap.yml b/playbooks/roles/bifrost-ironic-install/tasks/inspector_bootstrap.yml index c1c887e8c..50fb452d0 100644 --- a/playbooks/roles/bifrost-ironic-install/tasks/inspector_bootstrap.yml +++ b/playbooks/roles/bifrost-ironic-install/tasks/inspector_bootstrap.yml @@ -111,7 +111,7 @@ dest=/etc/ironic-inspector/inspector.conf owner=ironic group=ironic - mode=0740 + mode=0640 - name: "Inspector - Create the log directories (if requested)" file: name: "{{ item }}" diff --git a/releasenotes/notes/perm-8b4236c6eddf1f1f.yaml b/releasenotes/notes/perm-8b4236c6eddf1f1f.yaml new file mode 100644 index 000000000..487a0e717 --- /dev/null +++ b/releasenotes/notes/perm-8b4236c6eddf1f1f.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + The TFTP and HTTP directories are no longer world-readable by default. + Set ``boot_folder_permissions`` to override. diff --git a/scripts/collect-test-info.sh b/scripts/collect-test-info.sh index 980cc5b0d..cd0c6c1f1 100755 --- a/scripts/collect-test-info.sh +++ b/scripts/collect-test-info.sh @@ -82,9 +82,9 @@ sudo journalctl -u uwsgi@keystone-public &> ${LOG_LOCATION}/keystone-public.log # Copy PXE information mkdir -p ${LOG_LOCATION}/pxe/ -ls -lR /var/lib/ironic/httpboot > ${LOG_LOCATION}/pxe/listing.txt -cp -aL /var/lib/ironic/httpboot/*.ipxe ${LOG_LOCATION}/pxe/ -cp -aL /var/lib/ironic/httpboot/pxelinux.cfg/ ${LOG_LOCATION}/pxe/ +sudo ls -lR /var/lib/ironic/httpboot > ${LOG_LOCATION}/pxe/listing.txt +sudo bash -c "cp -aL /var/lib/ironic/httpboot/*.ipxe ${LOG_LOCATION}/pxe/" +sudo cp -aL /var/lib/ironic/httpboot/pxelinux.cfg/ ${LOG_LOCATION}/pxe/ # Copy baremetal information source $HOME/openrc bifrost