client: disable running artifact downloader as nobody

This PR reverts a change from Nomad 1.5 where artifact downloads were executed as the nobody user on Linux systems. This was done as an attempt to improve the security model of artifact downloading where third party tools such as git or mercurial would be run as the root user with all the security implications thereof. However, doing so conflicts with Nomad's own advice for securing the Client data directory - which when setup with the recommended directory permissions structure prevents artifact downloads from working as intended. Artifact downloads are at least still now executed as a child process of the Nomad agent, and on modern Linux systems make use of the kernel Landlock feature for limiting filesystem access of the child process.
hashicorp · Mar 7, 2023 · 8a7c839 · 8a7c839
1 parent b3f7559
commit 8a7c839
Showing 1 changed file with 3 additions and 10 deletions.
diff --git a/client/allocrunner/taskrunner/getter/util_linux.go b/client/allocrunner/taskrunner/getter/util_linux.go
@@ -7,7 +7,6 @@ import (
 	"path/filepath"
 	"syscall"
 
-	"github.com/hashicorp/nomad/helper/users"
 	"github.com/shoenig/go-landlock"
 )
 
@@ -37,16 +36,10 @@ func attributes() *syscall.SysProcAttr {
 }
 
 // credentials returns the UID and GID of the user the child process
-// will run as. On Linux systems this will be the nobody user if Nomad
-// is being run as the root user, or the user Nomad is being run as
-// otherwise.
+// will run as - for now this is always the same user the Nomad agent is
+// running as.
 func credentials() (uint32, uint32) {
-	switch userUID {
-	case 0:
-		return users.NobodyIDs()
-	default:
-		return userUID, userGID
-	}
+	return userUID, userGID
 }
 
 // defaultEnvironment is the default minimal environment variables for Linux.