From 4c9e15b94e3f8e27a3ef194768c64357efa9ea82 Mon Sep 17 00:00:00 2001
From: Steven Dake <stdake@cisco.com>
Date: Tue, 10 Nov 2015 04:11:20 -0500
Subject: [PATCH] Drop root privileges for mariadb

Drop root privileges for mariadb.  This isn't perfect.  If somemone
breaks out of the container and can run sudo within the contianer,
it would be possible to replace the root credentials of the database.

Any container that uses sudo suffers from some extra attack vector
related to the sudo command.  That said, the sudo commands are
locked down to minimize harm.

Change-Id: I4b3573725d940bb8aa90d43a6235d8cf7d30fc64
Partially-Implements: blueprint drop-root
---
 docker/base/sudoers            | 2 ++
 docker/mariadb/Dockerfile.j2   | 9 ++++++++-
 docker/mariadb/extend_start.sh | 8 ++++----
 docker/mariadb/mariadb_sudoers | 1 +
 4 files changed, 15 insertions(+), 5 deletions(-)
 create mode 100644 docker/mariadb/mariadb_sudoers

diff --git a/docker/base/sudoers b/docker/base/sudoers
index 0205b920f8..76baefcb07 100644
--- a/docker/base/sudoers
+++ b/docker/base/sudoers
@@ -14,3 +14,5 @@ root ALL=(ALL) ALL
 # anyone in the kolla group may run /usr/local/bin/kolla_set_configs as the
 # root user via sudo without password confirmation
 %kolla ALL=(root) NOPASSWD: /usr/local/bin/kolla_set_configs
+
+#includedir /etc/sudoers.d
diff --git a/docker/mariadb/Dockerfile.j2 b/docker/mariadb/Dockerfile.j2
index a840d9b8da..d365048943 100644
--- a/docker/mariadb/Dockerfile.j2
+++ b/docker/mariadb/Dockerfile.j2
@@ -28,9 +28,16 @@ RUN apt-get install -y --no-install-recommends \
 
 {% endif %}
 
+COPY mariadb_sudoers /etc/sudoers.d/mariadb_sudoers
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 COPY security_reset.expect /usr/local/bin/kolla_security_reset
 RUN chmod 755 /usr/local/bin/kolla_extend_start \
-    && chmod 755 /usr/local/bin/kolla_security_reset
+    && chmod 755 /usr/local/bin/kolla_security_reset \
+    && chmod 750 /etc/sudoers.d \
+    && chmod 440 /etc/sudoers.d/mariadb_sudoers \
+    && usermod -a -G kolla mysql
+
+
+USER mysql
 
 {{ include_footer }}
diff --git a/docker/mariadb/extend_start.sh b/docker/mariadb/extend_start.sh
index 8a8699b886..2ff24b73bf 100644
--- a/docker/mariadb/extend_start.sh
+++ b/docker/mariadb/extend_start.sh
@@ -5,19 +5,19 @@ function bootstrap_db {
 
     # Waiting for deamon
     sleep 10
-    kolla_security_reset
+    sudo -E kolla_security_reset
 
     mysql -u root --password="${DB_ROOT_PASSWORD}" -e "GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY '${DB_ROOT_PASSWORD}' WITH GRANT OPTION;"
     mysql -u root --password="${DB_ROOT_PASSWORD}" -e "GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY '${DB_ROOT_PASSWORD}' WITH GRANT OPTION;"
-    mysqladmin -p"${DB_ROOT_PASSWORD}" shutdown
+    mysqladmin -uroot -p"${DB_ROOT_PASSWORD}" shutdown
 }
 
-chown mysql: /var/lib/mysql
+sudo chown mysql: /var/lib/mysql
 
 # This catches all cases of the BOOTSTRAP variable being set, including empty
 if [[ "${!KOLLA_BOOTSTRAP[@]}" ]] && [[ ! -e /var/lib/mysql/cluster.exists ]]; then
     ARGS="--wsrep-new-cluster"
     touch /var/lib/mysql/cluster.exists
-    mysql_install_db --user=mysql
+    mysql_install_db
     bootstrap_db
 fi
diff --git a/docker/mariadb/mariadb_sudoers b/docker/mariadb/mariadb_sudoers
new file mode 100644
index 0000000000..c95b1e2ad5
--- /dev/null
+++ b/docker/mariadb/mariadb_sudoers
@@ -0,0 +1 @@
+%kolla ALL=(root) NOPASSWD: /bin/chown mysql\: /var/lib/mysql, /usr/bin/chown mysql\: /var/lib/mysql, /usr/local/bin/kolla_security_reset
-- 
GitLab