puppet-elasticsearch icon indicating copy to clipboard operation
puppet-elasticsearch copied to clipboard

Published 20 hours ago verified publisher icon voxpupuli

Instanced are created with insecure permissions

Open ssm opened this issue 9 years ago • 2 comments

Elasticsearch instances are installed with insecure file permissions,

A default install contains a possibility for the elasticsearch user to become root.

If someone gains code execution privileges on Elasticsearch, they can write to:

  • config
  • binaries
  • plugins

…to gain persistence on the system.

They can also write to:

  • init script
  • systemd service

…to gain root privileges. Game over.

Proposed solution

Please ensure that configured elasticsearch instances does own or have write permissions anywhere but its rundir (pid files), vardir (the indices) and logdir (for logs).

Install the instance and plugins as root, and run it as elasticsearch. Change ownership and write permissions only if needed to run the instance.

Allow the user to override file permissions.

In addition, please look at using systemd features in the configured elasticsearch service instance, like:

ProtectHome=
ProtectSystem=
PrivateDevices=
PrivateTmp=

…to reduce the privileges the running process has.

(see man:systemd.exec)

Example

To reproduce this in a clean install / vm / docker instance / etc…:

# Install puppet
root@a4b5b07020bf:~# apt update
root@a4b5b07020bf:~# apt install puppet

# Install this module, and use it
root@a4b5b07020bf:~# puppet module install elasticsearch-elasticsearch
root@a4b5b07020bf:~# puppet apply -e 'class { "elasticsearch": } elasticsearch::instance { "test": }'

# Investigate results
root@a4b5b07020bf:~# find / -xdev -user elasticsearch -ls
3413207    4 drwxr-xr-x   3 elasticsearch elasticsearch     4096 Jan 29 20:15 /etc/elasticsearch
3412161    4 drwxr-xr-x   2 elasticsearch elasticsearch     4096 Jan 29 20:15 /etc/elasticsearch/test
3413209    0 lrwxrwxrwx   1 elasticsearch elasticsearch       32 Jan 29 20:15 /etc/elasticsearch/test/scripts -> /usr/share/elasticsearch/scripts
3413210    4 -rw-r--r--   1 elasticsearch elasticsearch      113 Jan 29 20:15 /etc/elasticsearch/test/elasticsearch.yml
3413429    4 -rw-r--r--   1 elasticsearch elasticsearch     1558 Jan 29 20:15 /etc/elasticsearch/test/logging.yml
3933282    4 drwxr-xr-x   8 elasticsearch elasticsearch     4096 Jan 29 20:15 /usr/share/elasticsearch
4063616    4 drwxr-xr-x   2 elasticsearch elasticsearch     4096 Jan 29 20:15 /usr/share/elasticsearch/scripts
4063613    4 drwxr-xr-x   3 elasticsearch elasticsearch     4096 Jan 29 20:15 /usr/share/elasticsearch/data
4063617    4 drwxr-xr-x   2 elasticsearch root         4096 Jan 29 20:15 /usr/share/elasticsearch/data/test
3933284    4 drwxr-xr-x   2 elasticsearch elasticsearch     4096 Jan 29 20:15 /usr/share/elasticsearch/bin
3933285    4 -rwxr-xr-x   1 elasticsearch elasticsearch     2131 Apr 27  2015 /usr/share/elasticsearch/bin/elasticsearch.in.sh
3933287    8 -rwxr-xr-x   1 elasticsearch elasticsearch     6696 Apr 27  2015 /usr/share/elasticsearch/bin/elasticsearch
3933286    4 -rwxr-xr-x   1 elasticsearch elasticsearch     1112 Apr 27  2015 /usr/share/elasticsearch/bin/plugin
3933288    4 -rwxr-xr-x   1 elasticsearch elasticsearch      320 Apr 27  2015 /usr/share/elasticsearch/bin/classpath.in.sh
4063615    4 drwxr-xr-x   2 elasticsearch elasticsearch     4096 Jan 29 20:15 /usr/share/elasticsearch/templates_import
4063614    4 drwxr-xr-x   2 elasticsearch elasticsearch     4096 Jan 29 20:15 /usr/share/elasticsearch/lib
3413430    4 -rw-r--r--   1 elasticsearch elasticsearch      891 Jan 29 20:15 /lib/systemd/system/elasticsearch-test.service
3933295    4 drwxr-xr-x   2 elasticsearch elasticsearch     4096 Apr 27  2015 /var/lib/elasticsearch
3675341    4 drwxr-xr-x   2 elasticsearch elasticsearch     4096 Apr 27  2015 /var/log/elasticsearch
3408156    4 drwxr-xr-x   2 elasticsearch root         4096 Jan 29 20:15 /run/elasticsearch

Most of these should be owned by root, and only readable for the running service.

ssm avatar Jan 29 '16 20:01 ssm

Hi. Thank you very much for this detailed report. The init / systemd file should be root which is a big mistake on my side indeed. For some of the others I'll look at what the packages do by default and follow that.

electrical avatar Jan 30 '16 13:01 electrical

Hi,

it seems like the systemd service file is still owned by the elasticsearch user/group.

the default owner/group for the 'File' resource is defined here:

https://github.com/elastic/puppet-elasticsearch/blob/6f4c7dd1b2db73d4721630491b9ae10517e303bb/manifests/instance.pp#L172-L175

causing it to be changed from root:root to elasticsearch:elasticsearch here:

https://github.com/elastic/puppet-elasticsearch/blob/6f4c7dd1b2db73d4721630491b9ae10517e303bb/manifests/service/systemd.pp#L169

hex2a avatar Oct 09 '17 09:10 hex2a