Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: provision ownership on /var/lib/deadline/credentials directory #145

Merged
merged 1 commit into from
Feb 5, 2024

Conversation

gahyusuh
Copy link
Contributor

@gahyusuh gahyusuh commented Feb 2, 2024

What was the problem/requirement? (What/Why)

The worker credentials directory /var/lib/deadline/credentials is world read/executable in a worker agent in a SMF. While the credentials for the worker agent are not accessible, we should make this directory inaccessible as a best practice.

What was the solution? (How)

Updated the install.sh to pre-create the directory and set the correct ownership and permissions. This ensures that the directory is secure from the moment it's created, aligning with best practices for handling sensitive directory.

What is the impact of this change?

This change proactively secures the credentials directory.

How was this change tested?

  • hatch run fmt && hatch run lint && hatch run test
  • E2E test by cleaning all the persistence directories and re-installing worker agent by running this command:
    hatch shell
    install-deadline-worker --farm-id $FARM_ID --fleet-id $FLEET_ID
    
    After the installation, I confirmed the ownership and permissions of the directories:
    (24-02-02 21:28:41) <0> [/var/lib]  
    dev-dsk-gahyusuh-2a-387e0b51 % sudo ls -ld deadline/
    drwxr-x--- 4 deadline-worker-agent deadline-job-users 4096 Feb  2 21:16 deadline/
    
    (24-02-02 21:29:25) <0> [/var/lib]  
    dev-dsk-gahyusuh-2a-387e0b51 % sudo ls -ld deadline/credentials
    drwx------ 2 deadline-worker-agent root 4096 Feb  2 21:16 deadline/credentials
    
    • /var/lib/deadline: The owner deadline-worker-agent has full access. The owning group deadline-job-users has read and execute permissions. No permissions have been granted to other users.
    • /var/lib/deadline/credentials: Only the owner deadline-worker-agent has full access. Neither the owning group members nor any other users have been granted any permissions.

Was this change documented?

No.

Is this a breaking change?

No.

@gahyusuh gahyusuh marked this pull request as ready for review February 2, 2024 19:02
@gahyusuh gahyusuh requested a review from a team as a code owner February 2, 2024 19:02
@gahyusuh gahyusuh added the security Pull requests that could impact security label Feb 2, 2024
Copy link
Contributor

@jusiskin jusiskin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for helping improve this. Just one suggested change here.

src/deadline_worker_agent/installer/install.sh Outdated Show resolved Hide resolved
@gahyusuh gahyusuh force-pushed the gahyusuh/smf_worker_cred_dir_ownership branch from 8ce0b7a to 3854b78 Compare February 2, 2024 19:38
Signed-off-by: Gahyun Suh <132245153+gahyusuh@users.noreply.github.com>
@gahyusuh gahyusuh force-pushed the gahyusuh/smf_worker_cred_dir_ownership branch from 3854b78 to ffde35f Compare February 2, 2024 21:42
@gahyusuh gahyusuh merged commit 3b3e7af into mainline Feb 5, 2024
9 checks passed
gmchale79 pushed a commit that referenced this pull request Feb 12, 2024
…145)

Signed-off-by: Gahyun Suh <132245153+gahyusuh@users.noreply.github.com>
Signed-off-by: Graeme McHale <gmchale@amazon.com>
jusiskin pushed a commit to jusiskin/deadline-cloud-worker-agent that referenced this pull request Sep 4, 2024
Signed-off-by: client-software-ci <129794699+client-software-ci@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
security Pull requests that could impact security
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants