Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

The user directive is set only if the user is root #964

Merged
merged 1 commit into from
Feb 9, 2016
Merged

The user directive is set only if the user is root #964

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion kong.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -164,7 +164,7 @@
## This file can tweaked to some extent, but many directives are necessary for Kong to work.
## /!\ BE CAREFUL
nginx: |
user {{user}};
{{user}}
worker_processes auto;
error_log logs/error.log error;
daemon on;
Expand Down
14 changes: 13 additions & 1 deletion kong/cli/services/nginx.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,11 +59,23 @@ local function get_current_user()
return IO.os_execute("whoami")
end

local function get_primary_group(user)
return IO.os_execute("id -g -n "..user)
end

local function is_root()
local _, exit_code = IO.os_execute("[[ $EUID -eq 0 ]]")
return exit_code == 0
end

local function prepare_nginx_configuration(configuration, ssl_config)

local current_user = get_current_user()

-- Extract nginx config from kong config, replace any needed value
local nginx_config = configuration.nginx
local nginx_inject = {
user = get_current_user(),
user = is_root() and "user "..current_user.." "..get_primary_group(current_user)..";" or "",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this will not work for any user that is not root, which is limiting the ability to run Kong process as any user, specifically for security purposes a sysadmin would want to silo the kong execution into a specific user, this forbids that, its too dangerous to rely only on root users.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

furthermore, nginx does not implicitly require user to be root: http://nginx.org/en/docs/ngx_core_module.html#user

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't prevent from running Kong with any other user.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The user needs to be a user with super-user privileges, otherwise nginx throws a warning, and this PR simply removes that warning from the logs.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't prevent from running Kong with any other user.

I realize that, which is why I said it "limits" the abilities to run as another user, in this case, the user is what the process/workers will be ran as, and as a sysadmin, I would not be able to use a none-root user now.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

adduser newuser
su - newuser -c "kong start"

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

[root]# adduser newuser
[root]# su - newuser -c "kong start"
[INFO] Kong 0.6.1
[INFO] Using configuration: /etc/kong/kong.yml
[INFO] database...........cassandra keyspace=kong ssl=verify=false enabled=false replication_factor=1 contact_points=ec2-52-6-21-95.compute-1.amazonaws.com:9042 replication_strategy=SimpleStrategy timeout=5000 data_centers=
[INFO] dnsmasq............address=127.0.0.1:8053 dnsmasq=true port=8053
[INFO] Auto-generating the default SSL certificate and key...
[INFO] nginx .............admin_api_listen=0.0.0.0:8001 proxy_listen=0.0.0.0:8000 proxy_listen_ssl=0.0.0.0:8443
[INFO] serf ..............-profile=wan -rpc-addr=127.0.0.1:7373 -event-handler=member-join,member-leave,member-failed,member-update,member-reap,user:kong=/usr/local/kong/serf_event.sh -bind=0.0.0.0:7946 -node=7614aadd81f6_0.0.0.0:7946 -log-level=err
[INFO] Trying to auto-join Kong nodes, please wait..
[WARN] Cannot auto-join the cluster because no nodes were found
[OK] Started
[root]# ps aux | grep nginx
newuser    243  0.0  0.1 201740  4108 ?        Ss   21:22   0:00 nginx: master process /usr/local/openresty/nginx/sbin/nginx -p /usr/local/kong -c nginx.conf -g pid /usr/local/kong/nginx.pid;
newuser    244  0.7  0.7 211268 15028 ?        S    21:22   0:00 nginx: worker process
newuser    245  0.5  0.6 208408 13352 ?        S    21:22   0:00 nginx: worker process
newuser    246  0.5  0.6 208408 13352 ?        S    21:22   0:00 nginx: worker process
newuser    247  0.7  0.6 208408 13352 ?        S    21:22   0:00 nginx: worker process
newuser    248  0.7  0.6 208408 13352 ?        S    21:22   0:00 nginx: worker process
newuser    249  0.5  0.6 208408 13352 ?        S    21:22   0:00 nginx: worker process
newuser    250  0.5  0.6 208408 13352 ?        S    21:22   0:00 nginx: worker process
newuser    251  0.5  0.6 208408 13352 ?        S    21:22   0:00 nginx: worker process

and

[root]# cat /usr/local/kong/nginx.conf
user newuser;

...

proxy_listen = configuration.proxy_listen,
proxy_listen_ssl = configuration.proxy_listen_ssl,
admin_api_listen = configuration.admin_api_listen,
Expand Down