From f1d27f7ddbe897f08ca506e18e9f9cdffbf9bc59 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rados=C5=82aw=20Piliszek?= <radoslaw.piliszek@gmail.com>
Date: Fri, 26 Aug 2022 21:48:54 +0200
Subject: [PATCH] [security] Make Ironic tftpd run as nobody

This avoids root privileges in tftpd's unprivileged container.

Change-Id: I50366205c9cefe2af26c27580c02368f029b7605
---
 ansible/roles/ironic/templates/ironic-tftp.json.j2          | 2 +-
 releasenotes/notes/ironic-tftp-nobody-835803ba36398ea3.yaml | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)
 create mode 100644 releasenotes/notes/ironic-tftp-nobody-835803ba36398ea3.yaml

diff --git a/ansible/roles/ironic/templates/ironic-tftp.json.j2 b/ansible/roles/ironic/templates/ironic-tftp.json.j2
index f3b426fcf7..46859ef61d 100644
--- a/ansible/roles/ironic/templates/ironic-tftp.json.j2
+++ b/ansible/roles/ironic/templates/ironic-tftp.json.j2
@@ -2,7 +2,7 @@
 {% set pxe_cfg = 'grub.cfg' if enable_ironic_pxe_uefi | bool else 'default' %}
 
 {
-    "command": "/usr/sbin/in.tftpd --verbose --foreground --user root --address 0.0.0.0:69 --map-file /map-file /var/lib/ironic/tftpboot",
+    "command": "/usr/sbin/in.tftpd --verbose --foreground --user nobody --address 0.0.0.0:69 --map-file /map-file /var/lib/ironic/tftpboot",
     "config_files": [
 {% if not ironic_dnsmasq_serve_ipxe | bool and groups['ironic-inspector'] | length > 0 %}
 {% if not enable_ironic_pxe_uefi | bool %}
diff --git a/releasenotes/notes/ironic-tftp-nobody-835803ba36398ea3.yaml b/releasenotes/notes/ironic-tftp-nobody-835803ba36398ea3.yaml
new file mode 100644
index 0000000000..2c7489e60e
--- /dev/null
+++ b/releasenotes/notes/ironic-tftp-nobody-835803ba36398ea3.yaml
@@ -0,0 +1,6 @@
+---
+security:
+  - |
+    Kolla Ansible used to run Ironic's tftpd as an (unprivileged) root
+    user.
+    Now, it will explicitly use the nobody user.