← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #73500

[Bug 1777922] Re: neutron is not dropping radvd privileges

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.openstack.org/576923
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=9f2b40f2cecc116906e77d69797c0c6877bd5b4d
Submitter: Zuul
Branch:    master

commit 9f2b40f2cecc116906e77d69797c0c6877bd5b4d
Author: aojeagarcia <aojeagarcia@xxxxxxxx>
Date:   Wed Jun 20 18:53:36 2018 +0200

    Dropping radvd process privileges
    
    radvd needs to run as root, but has the capability to drop privileges on
    linux hosts. Currently, radvd process is not using this feature and
    this can be considered a serious risk.
    
    In addition, some distributions like SUSE, radvd process runs as a non
    privileged user by default, causing radvd failure to daemonize
    because it can't write the pid in the corresponding neutron folder and
    break the IPv6 functionality.
    
    This patch allows radvd process to run with the same user used by
    neutron. In order to allow this, it changes the radvd config file
    permissions to 444 because radvd doesn't allow that this file can be
    writeable by self/group. The readonly mode is not a problem updating the
    file because of the way the neutron_lib replace_file function handles
    the files operations.
    
    Closes-Bug: #1777922
    
    Change-Id: Ic5d976ba71a966a537d1f31888f82997a7ccb0de
    Signed-off-by: aojeagarcia <aojeagarcia@xxxxxxxx>


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1777922

Title:
  neutron is not dropping radvd privileges

Status in neutron:
  Fix Released

Bug description:
  neutron is not dropping the radvd privileges and causes that radvd run with full privileges, that can be considered as a serious risk.
  In addition, some distributions like SUSE, by default runs radvd process as a non privileged user by default, causing radvd failure to daemonize because it can't write the pid in the corresponding neutron folder and break the IPv6 functionality.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1777922/+subscriptions

References

  Thread PreviousDate PreviousThread Next