Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PROD-1331 #4421

Merged
merged 8 commits into from
Nov 20, 2023
Merged

PROD-1331 #4421

merged 8 commits into from
Nov 20, 2023

Conversation

pattisdr
Copy link
Contributor

@pattisdr pattisdr commented Nov 11, 2023
edited by ThomasLaPiana
Loading

Closes #PROD-1331

Description Of Changes

Run fides as non-root user.

Code Changes

  • Creates a non root user to run the application but switches back and forth when root user needs to install something.
  • Switch to non-root user in CI_ARGS and CI_ARGS_EXEC

Steps to Confirm

  • Run fides, whoami is fidesuser. Confirm you can run privacy requests.

Pre-Merge Checklist

@pattisdr
Creates a non root user to run the application but switches back and …
3f207ba 
…forth when root user needs to install something.
@vercel Vercel
Copy link

vercel bot commented Nov 11, 2023
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Ignored Deployment
Name Status Preview Comments Updated (UTC)
fides-plus-nightly ⬜️ Ignored (Inspect) Visit Preview Nov 20, 2023 3:00pm

@pattisdr pattisdr changed the title Creates a non root user to run the application but switches back and … PROD-1331 Nov 11, 2023
@cypress Cypress
Copy link

cypress bot commented Nov 11, 2023
edited
Loading

Passing run #5295 ↗︎

0 4 0 0 Flakiness 0
⚠️ You've recorded test results over your free plan limit.
Upgrade your plan to view test results.

Details:

Merge cd5559c into 141a528...
Project: fides Commit: 6b0f9f888e ℹ️
Status: Passed Duration: 00:32 💡
Started: Nov 20, 2023 3:10 PM Ended: Nov 20, 2023 3:11 PM

Review all test suite changes for PR #4421 ↗︎

@codecov Codecov
Copy link

codecov bot commented Nov 11, 2023
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (141a528) 87.10% compared to head (cd5559c) 87.10%.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #4421   +/-   ##
=======================================
  Coverage   87.10%   87.10%           
=======================================
  Files         329      329           
  Lines       20366    20366           
  Branches     2623     2623           
=======================================
  Hits        17739    17739           
  Misses       2163     2163           
  Partials      464      464

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

pattisdr
pattisdr commented Nov 13, 2023
View reviewed changes
noxfiles/constants_nox.py
Comment on lines +55 to +57
# The else statement is required due to the way commands are structured and is arbitrary.
CI_ARGS = "-T" if getenv("CI") else "--user=fidesuser"
CI_ARGS_EXEC = "-t" if not getenv("CI") else "--user=fidesuser"
Copy link
Contributor Author

@pattisdr pattisdr Nov 13, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was causing numerous tests to fail when running:

docker exec -e ANALYTICS_OPT_OUT -e FIDES__CLI__ANALYTICS_ID --user=root fides pytest --cov-report=xml tests/ctl/ -m 'not external' so I updated it to use the new fidesuser

I'm a little confused about the previous code comment here: The else statement is required due to the way commands are structured and is arbitrary. It seems like the "else" matters, is all.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't make sense to me either, it seems like the flags (-T or -t) control TTY settings which seems incompatible with specifying a user. The earliest occurrence of this comes from @ThomasLaPiana, maybe he can comment?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes this is a super hacky workaround. Due to the way that commands were injected, it broke if I tried to use an empty string, so instead I used a "dummy" flag which ended up being --user=root. As long as there is something valid in there it should be fine :)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ThomasLaPiana the value seemed to matter though which is why I was confused. Once I started running this container as fidesuser and not root, a large number of tests were failing though and changing the value here to --user=fidesuser fixed.

Dockerfile Outdated Show resolved Hide resolved
@daveqnet
Copy link
Contributor

Looks good to me, @pattisdr! This PR meets the security requirement:

~/projects/github/ethyca/fides PROD-1331_run_as_non_root ❯ docker ps | grep -i webserver
3be5d034e8a5   ethyca/fides:local                  "fides webserver"        30 seconds ago   Up 13 seconds (health: starting)   0.0.0.0:8080->8080/tcp     fides
~/projects/github/ethyca/fides PROD-1331_run_as_non_root ❯ docker exec -it 3be5d034e8a5 /bin/bash
fidesuser@3be5d034e8a5:/fides$ whoami
fidesuser
fidesuser@3be5d034e8a5:/fides$ exit
exit
~/projects/github/ethyca/fides PROD-1331_run_as_non_root ❯ docker exec -u 0 -it 3be5d034e8a5 /bin/bash
root@3be5d034e8a5:/fides# apt-get update && apt-get install procps
...
root@3be5d034e8a5:/fides# ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
fidesus+     1  6.9  4.4 1122584 355832 ?      Ssl  15:41   0:10 /opt/fides/bin/python3 /opt/fides/bin/fides webserver
fidesus+    27  0.0  0.0   5844  3356 pts/0    Ss+  15:41   0:00 /bin/bash
root        84  0.0  0.0   5844  3352 pts/1    Ss   15:43   0:00 /bin/bash
root       445  0.0  0.0   8332  2860 pts/1    R+   15:43   0:00 ps aux
root@3be5d034e8a5:/fides# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
fidesuser:x:1001:65534::/home/fidesuser:/usr/sbin/nologin
root@3be5d034e8a5:/fides# exit
exit
~/projects/github/ethyca/fides PROD-1331_run_as_non_root ❯

@galvana galvana self-requested a review November 14, 2023 16:27
galvana
galvana approved these changes Nov 17, 2023
View reviewed changes
Copy link
Contributor

@galvana galvana left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These changes make sense, the only part that threw me off was the CI_ARGS/CI_ARGS_EXEC portion but I tagged @ThomasLaPiana to comment if he remembers. The only change that would be a nice to have is locking down the fides_uploads to the fidesuser like you did in fidesplus.

Dockerfile Outdated Show resolved Hide resolved
noxfiles/constants_nox.py
Comment on lines +55 to +57
# The else statement is required due to the way commands are structured and is arbitrary.
CI_ARGS = "-T" if getenv("CI") else "--user=fidesuser"
CI_ARGS_EXEC = "-t" if not getenv("CI") else "--user=fidesuser"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't make sense to me either, it seems like the flags (-T or -t) control TTY settings which seems incompatible with specifying a user. The earliest occurrence of this comes from @ThomasLaPiana, maybe he can comment?

Dockerfile Show resolved Hide resolved
@pattisdr
Copy link
Contributor Author

OK @galvana thanks for your review! The changes I've made as a result: I'm chowning the fides directory but leaving the fides user is as-is.

@pattisdr pattisdr merged commit 031f5aa into main Nov 20, 2023
42 checks passed
@pattisdr pattisdr deleted the PROD-1331_run_as_non_root branch November 20, 2023 15:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@galvana galvana galvana approved these changes

@ThomasLaPiana ThomasLaPiana ThomasLaPiana approved these changes

@daveqnet daveqnet Awaiting requested review from daveqnet

@NevilleS NevilleS Awaiting requested review from NevilleS

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@pattisdr @daveqnet @galvana @ThomasLaPiana