Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

'nomad alloc exec' with 'raw_exec' driver doesn't respect task 'user' field #9210

Closed
tgross opened this issue Oct 28, 2020 · 4 comments · Fixed by #9439
Closed

'nomad alloc exec' with 'raw_exec' driver doesn't respect task 'user' field #9210

tgross opened this issue Oct 28, 2020 · 4 comments · Fixed by #9439
Labels
theme/driver/raw_exec type/bug

Comments

@tgross
Copy link
Member

tgross commented Oct 28, 2020
edited

Using the following jobspec with the user field on the task :

job "example" {
  datacenters = ["dc1"]
  task "task1" {
    user   = "nobody"
    driver = "raw_exec"
    config {
      command = "/bin/sh"
      args    = ["-c", "sleep 600"]
    }
  }
}

The task runs as nobody, but nomad alloc exec is running as Nomad's user (root):

$ nomad job run ./example.nomad
==> Monitoring evaluation "d7265065"
    Evaluation triggered by job "example"
    Evaluation within deployment: "2f41957c"
    Allocation "07063d8a" created: node "6f2115ea", group "task3"
    Evaluation status changed: "pending" -> "complete"
==> Evaluation "d7265065" finished with status "complete"

$ nomad alloc exec 07063d8a whoami
root

$ nomad alloc logs c64d741d
nobody

Note that because in clusters with ACLs this requires the highly-privileged node-alloc-exec capability, which isn't included in the write coarse-grained capability and which is specifically warned as breaking filesystem isolation, there's no privilege escalation available here. It is a surprising behavior and one we want to have fixed.

But I've also double-checked that drivers like exec still give you nobody when you nomad alloc exec and those are working as expected.
@rgl
Copy link

rgl commented Nov 22, 2020

Can you please also support setting the user in Windows?

Please note that in Windows, you also need to define the password.

It would also be pretty interesting to support Group Managed Service Accounts and Local Service Accounts (these do not have a user managed password, as such, are more convenient to use). Please note these require the application to run (or be wrapped) as a Windows service.

@rgl rgl mentioned this issue Nov 23, 2020
Closed
@tgross
Copy link
Member Author

tgross commented Nov 23, 2020

Can you please also support setting the user in Windows?

@rgl your suggestion looks unrelated to this issue, which is about the nomad alloc exec command specifically. If you have a feature request, open a new issue for that please.

@rgl
Copy link

rgl commented Nov 23, 2020

Indeed, I've now opened #9424.

@notnoop notnoop mentioned this issue Nov 24, 2020
Merged
notnoop pushed a commit that referenced this issue Nov 25, 2020
honor task user when execing into raw_exec task (#9439)
edaa165 
Fix #9210 .

This update the executor so it honors the User when using nomad alloc exec. The bug was that the exec task didn't honor the init command when execing.
@github-actions
Copy link

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 28, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
theme/driver/raw_exec type/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

honor task user when execing into raw_exec task hashicorp/nomad
2 participants
@rgl @tgross