aurora-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zameer Manji (JIRA)" <>
Subject [jira] [Created] (AURORA-1753) Thermos does not kill processes that setuid to another user.
Date Tue, 23 Aug 2016 20:10:20 GMT
Zameer Manji created AURORA-1753:

             Summary: Thermos does not kill processes that setuid to another user. 
                 Key: AURORA-1753
             Project: Aurora
          Issue Type: Bug
            Reporter: Zameer Manji

Core thermos has a heuristic to ensure we do not kill processes that were not launched by
it. The code is below:
  def this_is_really_our_pid(cls, process, uid, user, start_time):
      A heuristic to make sure that this is likely the pid that we own/forked.  Necessary
      because of pid-space wrapping.  We don't want to go and kill processes we don't own,
      especially if the killer is running as root.

      process: psutil.Process representing the process to check
      uid: uid expected to own the process (or None if not available)
      user: username expected to own the process
      start_time: time at which it's expected the process has started

        psutil.NoSuchProcess - if the Process supplied no longer exists
    process_create_time = process.create_time()

    if abs(start_time - process_create_time) >= cls.MAX_START_TIME_DRIFT.as_(Time.SECONDS):"Expected pid %s start time to be %s but it's %s" % (
, start_time, process_create_time))
      return False

    if uid is not None:
      # If the uid was provided, it is gospel, so do not consider user.
        uids = process.uids()
        if uids is None:
          return False
        process_uid = uids.real
      except psutil.Error:
        return False

      if process_uid == uid:
        return True
      else:"Expected pid %s to be ours but the pid uid is %s and we're %s" % (
  , process_uid, uid))
        return False

      process_user = process.username()
    except KeyError:
      return False

    if process_user == user:
      # If the uid was not provided, we must use user -- which is possibly flaky if the
      # user gets deleted from the system, so process_user will be None and we must
      # return False."Expected pid %s to be ours but the pid user is %s and we're %s" % (
, process_user, user))
      return True

    return False

This code prevents thermos from killing a process that was launched with uid 0 but then later
uses {{setuid(2)}} to change its user to something else.

A concrete example of this is when one uses Docker and Aurora. A Docker container implicitly
triggers the {{--nosetuid}} flag behaviour which means all processes forked by thermos run
as root. A container process could later downgrade itself to another user for security reasons.
Doing this means thermos will not kill it when shutting down the container.

This message was sent by Atlassian JIRA

View raw message