feat: impersonator middleware feature/usability improvements #353
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Leo <[email protected]>
… system users (uid <= 999) sample_wsgidav.yaml: configuration entry for the feature above Signed-off-by: Leo <[email protected]>
…d CAP_SETGID docker `--add-cap` (or `add_cap` in docker-compose.yml) could not set ambient capabilities and therefore the SUID/SGID caps are not inherited by the child process spawned by gunicorn. this wrapper mimics what `capsh` do in mar10#343 Signed-off-by: Leo <[email protected]>
…ages Signed-off-by: Leo <[email protected]>
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #353 +/- ##
==========================================
+ Coverage 44.06% 44.12% +0.06%
==========================================
Files 29 29
Lines 4893 4893
==========================================
+ Hits 2156 2159 +3
+ Misses 2737 2734 -3 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
this patch tackles 3 major issues of the current implementation of impersonator:
1. handling additional groups
unix users could retrieve groups they belongs with
idcommand, it is common that a user belongs to multiple additional groups than the one which named identical to him/herself. here below is an example retrieving my groups on my linux workstation:the current implementation, wsgidav only call
os.setegid(1000)when impersonating asleoon this machine, while other groups, incl.wireshark,docker, etc, should also be added.this patch handles such cases with
os.initgroups()to properly add additional groups accordingly (to/etc/group) when impersonating.2. rejecting system users
uids <= 999 on unix systems are generally preserved for system daemon uses, a sysadmin may not want someone being capable to impersonate as such users. (probably due to misconfiguration of domain controller, etc)
this patch adds an option to reject impersonating-as-system-users attemps:
3. docker capability issues
docker's
--cap-add(orcap_add:in docker-compose.yml) does not add the capabilities to the ambient set, therefore the capability is dropped uponfork()/execve(), (which is behind gunicorn's worker spawning) rendering the approach described in #343 (comment) not feasible.this patch included a statically-linked helper program in C to achieve this in containers.