aurora-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zameer Manji (JIRA)" <j...@apache.org>
Subject [jira] [Created] (AURORA-1753) Thermos does not kill processes that setuid to another user.
Date Tue, 23 Aug 2016 20:10:20 GMT
Zameer Manji created AURORA-1753:
------------------------------------

             Summary: Thermos does not kill processes that setuid to another user. 
                 Key: AURORA-1753
                 URL: https://issues.apache.org/jira/browse/AURORA-1753
             Project: Aurora
          Issue Type: Bug
            Reporter: Zameer Manji


Core thermos has a heuristic to ensure we do not kill processes that were not launched by
it. The code is below:
{noformat}
  @classmethod
  def this_is_really_our_pid(cls, process, uid, user, start_time):
    """
      A heuristic to make sure that this is likely the pid that we own/forked.  Necessary
      because of pid-space wrapping.  We don't want to go and kill processes we don't own,
      especially if the killer is running as root.

      process: psutil.Process representing the process to check
      uid: uid expected to own the process (or None if not available)
      user: username expected to own the process
      start_time: time at which it's expected the process has started

      Raises:
        psutil.NoSuchProcess - if the Process supplied no longer exists
    """
    process_create_time = process.create_time()

    if abs(start_time - process_create_time) >= cls.MAX_START_TIME_DRIFT.as_(Time.SECONDS):
      log.info("Expected pid %s start time to be %s but it's %s" % (
          process.pid, start_time, process_create_time))
      return False

    if uid is not None:
      # If the uid was provided, it is gospel, so do not consider user.
      try:
        uids = process.uids()
        if uids is None:
          return False
        process_uid = uids.real
      except psutil.Error:
        return False

      if process_uid == uid:
        return True
      else:
        log.info("Expected pid %s to be ours but the pid uid is %s and we're %s" % (
            process.pid, process_uid, uid))
        return False

    try:
      process_user = process.username()
    except KeyError:
      return False

    if process_user == user:
      # If the uid was not provided, we must use user -- which is possibly flaky if the
      # user gets deleted from the system, so process_user will be None and we must
      # return False.
      log.info("Expected pid %s to be ours but the pid user is %s and we're %s" % (
          process.pid, process_user, user))
      return True

    return False
{noformat}

This code prevents thermos from killing a process that was launched with uid 0 but then later
uses {{setuid(2)}} to change its user to something else.

A concrete example of this is when one uses Docker and Aurora. A Docker container implicitly
triggers the {{--nosetuid}} flag behaviour which means all processes forked by thermos run
as root. A container process could later downgrade itself to another user for security reasons.
Doing this means thermos will not kill it when shutting down the container.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message