Skip to content

tedge-agent: support writing to any file when running as tedge user #2456

Closed
Closed
tedge-agent: support writing to any file when running as tedge user#2456
Labels
ideaideas/opportunities/feature requests which need to be further investigated before implementation
Milestone
1.0.0
@reubenmiller

Description

@reubenmiller
reubenmiller
opened on Nov 15, 2023

Is your feature request related to a problem? Please describe.

Currently the tedge-configuration-plugin runs as the root user to provide it the permissions required to read and write any file on the system it is running on. However, with the merging of the tedge-configuration-plugin into the tedge-agent (amongst other additional plugins), this presents a problem because the tedge-agent is running under the tedge user. This results in the loss of the ability to change any configuration on the file system.

The problem can be broken into two key functional requirements:

  • read any file
  • write any file (depending on sudoers rules)

Read any file -> Read any file with global read permissions

I would propose to change the requirement from "Read any file" to "Read and which is permitted to by a non-root user".

Enable the ability to read any file presents a security risk of accidentally publishing data from protected files to the cloud. For example the tedge private certificate (default path: /etc/tedge/device-certs/tedge-private-key.pem), this file should NEVER be exposed (and it is currently configured to only be readable by the mosquitto user):

$ ls -l /etc/tedge/device-certs/tedge-private-key.pem
-r-------- 1 mosquitto mosquitto 246 Nov  9 13:50 /etc/tedge/device-certs/tedge-private-key.pem

In reality, files which do not contain sensitive/secret information are at least readable by all users (not writable, but readable). And trying to read files under the non-root user (tedge) is preferred because it avoids exposing information.

Write any file

Writing any file is an important feature that has to be retained as it is important to retain control over the operating system to administer it remotely, and mostly this requires writing to files which are owned or only writable by the root user (e.g. the Debian APT sources list: /etc/apt/sources.list).

Security around calling tedge-write can be managed by the sudoers mechanism which allows users to either allow or disallow whether the tedge user is permitted to call the binary tedge-write or not.

Note: It would be possible to overwrite protected files (such as the private certificate), however the existing file contents (with potentially sensitive information) would be overwritten with the new contents, thus still not exposing the contents (even though the old contents will be now lost, but at least not exposed).

Describe the solution you'd like

Create a custom executable called tedge-write (name is subject to change) (as part of the multi-call binary) which is used to write a specific file with elevated rights (if enabled under sudo).

Usage: tedge-write

tedge-write <SOURCE_FILE> <DESTINATION_FILE> [[--mode <mode_octal>] [--user <user>] [--group <group>]]

The binary should be owned by tedge (to allow execution when running without sudo), but it should not allow any other non-root users to execute, read or write the binary.

For example, the desired settings can be configured using:

chmod 700 /usr/bin/tedge-write
chown tedge:tedge /usr/bin/tedge-write

For installations with sudo, the tedge-write binary should be added to the /etc/sudoers.d/ file for the tedge user.

file: /etc/sudoers.d/tedge-write

tedge  ALL = (ALL) NOPASSWD: /usr/bin/tedge-write * /etc/*

Note

  • The exact sudoers rule depends on the implementation (e.g. should the source or destination be first). Verify the sudoers rules to ensure the tedge-write scope for destination files can be restricted

Writing to a file

A file can written to, by copying the file from a source file to the target file using the following command:

sudo tedge-write /some/local/tmp/file /etc/tedge/value --mode 644 --user root --group root

For installations that are not using sudo, then the tedge-write command will be called directly, however the command will fail if the user tries to overwrite a permission that the process user does not have access to, or they try to change the ownership of the file to any other.

tedge-write /some/local/tmp/file /etc/tedge/value --mode 644 --user tedge --group tedge

Configuration option

tedge config option to disable sudo usage when calling tedge-write. This would allow system administrators to modify the sudoers.d/tedge file to disallow the tedge user to call tedge-write as sudo, so that the tedge-agent can be restricted to only modifying files that the tedge user can write to.

Without this feature, calls to tedge-write would fail automatically because tedge always uses sudo (if installed) when calling a function regardless whether sudo is required or not (at least that is the current implementation).

Metadata

Metadata

Assignees

No one assigned

    Labels

    ideaideas/opportunities/feature requests which need to be further investigated before implementation

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions