Project

Profile

Help

Issue #7155

closed

pulpcore-manager cannot be run by 'pulp' user

Added by bmbouter over 4 years ago. Updated almost 4 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
Installer - Moved to GitHub issues
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Sprint 84
Quarter:

Description

The PULP_SETTINGS environment variable is not being set therefore the pulpcore-manager command cannot be run by the pulp user.


Related issues

Has duplicate Pulp - Issue #6263: User installation makes non-pulp user hard to useCLOSED - DUPLICATEActions
Actions #1

Updated by dkliban@redhat.com over 4 years ago

  • Triaged changed from No to Yes
  • Sprint set to Sprint 79

PULP_SETTINGS environment variable needs to be in the pulp user's .bashrc.

Actions #2

Updated by mdepaulo@redhat.com over 4 years ago

We can implement this fairly easily, but in order to fully address the issue, we have 2 more pieces of work to do:

  1. Do we activate the virtualenv by default? Or prompt users to do that in the login message?
  2. The pulp user intentionally has its shell set to /sbin/nologin for security. Do we want to change it? The current best workaround is sudo su - pulp --shell /bin/bash
Actions #3

Updated by rchan over 4 years ago

  • Sprint changed from Sprint 79 to Sprint 80
Actions #4

Updated by mdepaulo@redhat.com over 4 years ago

We propose solving this this way:

  1. pulpcore-manager is setuid to pulp. The rest of the octal permissions make it so only the pulp user & group can run it. (This eliminates users accidentally running it as root, and having files on disk owned by root rather than pulp. It also makes the shell irrelevant.)
  2. We configure the virtualenv to set the environment variable. (A .bashrc would not be usable with setuid.)

This way, users can just run the pulpcore-manager binary directly from the full file path like /usr/local/lib/pulp/bin/pulpcore-manager. Since doing so should include activating the venv, and will be setuid pulp.

Actions #5

Updated by mdepaulo@redhat.com over 4 years ago

An alternative implementation to #1 was suggested by Ewoud:

AFAIK you can't make a script setuid. Only compiled binaries. I doubt that's worth the effort.

For comparison, in Foreman we have foreman-rake which does the user switching via su if the username is not foreman.

Another thing we set in the wrapper is RUBYOPT=-W0 which disables (deprecation) warnings. This gives a better user experience. Python may have something similar that you can consider.

I think he's wrong about setuid having that limitation, but I like the foreman-rake approach better than setuid.

Actions #6

Updated by rchan over 4 years ago

  • Sprint changed from Sprint 80 to Sprint 81
Actions #7

Updated by rchan over 4 years ago

  • Sprint changed from Sprint 81 to Sprint 82
Actions #8

Updated by dkliban@redhat.com about 4 years ago

  • Has duplicate Issue #6263: User installation makes non-pulp user hard to use added
Actions #9

Updated by mdellweg about 4 years ago

When installed via RPM, is pulp still running in a venv? If not, this rules out the "set-envvar-in-venv" solution.

Actions #10

Updated by mdellweg about 4 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to mdellweg
Actions #11

Updated by pulpbot about 4 years ago

  • Status changed from ASSIGNED to POST
Actions #12

Updated by bmbouter about 4 years ago

mdellweg wrote:

When installed via RPM, is pulp still running in a venv? If not, this rules out the "set-envvar-in-venv" solution.

I agree, but the RPM packaging could set it somehow also. One assumes root and the other doesn't so I kind of think the installer needs to handle it as the venv, and the RPMs need to handle with their assumption of what users run this command. Wdyt?

Actions #13

Updated by rchan about 4 years ago

  • Sprint changed from Sprint 82 to Sprint 83

Added by mdellweg about 4 years ago

Revision 880d68dd | View on GitHub

Add pulpcore-admin wrapper

This script sets PULP_SETTINGS and calls pulpcore-admin as pulp user.

fixes #7155 https://pulp.plan.io/issues/7155

Added by mdellweg about 4 years ago

Revision 880d68dd | View on GitHub

Add pulpcore-admin wrapper

This script sets PULP_SETTINGS and calls pulpcore-admin as pulp user.

fixes #7155 https://pulp.plan.io/issues/7155

Actions #14

Updated by rchan about 4 years ago

  • Sprint changed from Sprint 83 to Sprint 84
Actions #15

Updated by mdellweg about 4 years ago

  • Status changed from POST to MODIFIED
Actions #16

Updated by ttereshc almost 4 years ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE

Also available in: Atom PDF