From f1d27f7ddbe897f08ca506e18e9f9cdffbf9bc59 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rados=C5=82aw=20Piliszek?= Date: Fri, 26 Aug 2022 21:48:54 +0200 Subject: [PATCH] [security] Make Ironic tftpd run as nobody This avoids root privileges in tftpd's unprivileged container. Change-Id: I50366205c9cefe2af26c27580c02368f029b7605 --- ansible/roles/ironic/templates/ironic-tftp.json.j2 | 2 +- releasenotes/notes/ironic-tftp-nobody-835803ba36398ea3.yaml | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/ironic-tftp-nobody-835803ba36398ea3.yaml diff --git a/ansible/roles/ironic/templates/ironic-tftp.json.j2 b/ansible/roles/ironic/templates/ironic-tftp.json.j2 index f3b426fcf7..46859ef61d 100644 --- a/ansible/roles/ironic/templates/ironic-tftp.json.j2 +++ b/ansible/roles/ironic/templates/ironic-tftp.json.j2 @@ -2,7 +2,7 @@ {% set pxe_cfg = 'grub.cfg' if enable_ironic_pxe_uefi | bool else 'default' %} { - "command": "/usr/sbin/in.tftpd --verbose --foreground --user root --address 0.0.0.0:69 --map-file /map-file /var/lib/ironic/tftpboot", + "command": "/usr/sbin/in.tftpd --verbose --foreground --user nobody --address 0.0.0.0:69 --map-file /map-file /var/lib/ironic/tftpboot", "config_files": [ {% if not ironic_dnsmasq_serve_ipxe | bool and groups['ironic-inspector'] | length > 0 %} {% if not enable_ironic_pxe_uefi | bool %} diff --git a/releasenotes/notes/ironic-tftp-nobody-835803ba36398ea3.yaml b/releasenotes/notes/ironic-tftp-nobody-835803ba36398ea3.yaml new file mode 100644 index 0000000000..2c7489e60e --- /dev/null +++ b/releasenotes/notes/ironic-tftp-nobody-835803ba36398ea3.yaml @@ -0,0 +1,6 @@ +--- +security: + - | + Kolla Ansible used to run Ironic's tftpd as an (unprivileged) root + user. + Now, it will explicitly use the nobody user.