client: disable running artifact downloader as nobody (#16375)

* client: disable running artifact downloader as nobody This PR reverts a change from Nomad 1.5 where artifact downloads were executed as the nobody user on Linux systems. This was done as an attempt to improve the security model of artifact downloading where third party tools such as git or mercurial would be run as the root user with all the security implications thereof. However, doing so conflicts with Nomad's own advice for securing the Client data directory - which when setup with the recommended directory permissions structure prevents artifact downloads from working as intended. Artifact downloads are at least still now executed as a child process of the Nomad agent, and on modern Linux systems make use of the kernel Landlock feature for limiting filesystem access of the child process. * docs: update upgrade guide for 1.5.1 sandboxing * docs: add cl * docs: add title to upgrade guide fix
2023-03-08 15:58:43 -06:00 · 2023-03-08 15:58:43 -06:00 · ff4503aac6
parent 2b5efeac04
commit ff4503aac6
3 changed files with 23 additions and 10 deletions
--- a/.changelog/16375.txt
+++ b/.changelog/16375.txt
@ -0,0 +1,3 @@
+```release-note:bug
+client: Fixed a bug where artifact downloading failed on hardened nodes
+```
--- a/client/allocrunner/taskrunner/getter/util_linux.go
+++ b/client/allocrunner/taskrunner/getter/util_linux.go
@ -7,7 +7,6 @@ import (
 	"path/filepath"
 	"syscall"

-	"github.com/hashicorp/nomad/helper/users"
 	"github.com/shoenig/go-landlock"
 )

@ -37,16 +36,10 @@ func attributes() *syscall.SysProcAttr {
 }

 // credentials returns the UID and GID of the user the child process
-// will run as. On Linux systems this will be the nobody user if Nomad
-// is being run as the root user, or the user Nomad is being run as
-// otherwise.
+// will run as - for now this is always the same user the Nomad agent is
+// running as.
 func credentials() (uint32, uint32) {
-	switch userUID {
-	case 0:
-		return users.NobodyIDs()
-	default:
-		return userUID, userGID
-	}
+	return userUID, userGID
 }

 // defaultEnvironment is the default minimal environment variables for Linux.
--- a/website/content/docs/upgrade/upgrade-specific.mdx
+++ b/website/content/docs/upgrade/upgrade-specific.mdx
@ -13,6 +13,22 @@ upgrade. However, specific versions of Nomad may have more details provided for
 their upgrades as a result of new features or changed behavior. This page is
 used to document those details separately from the standard upgrade flow.

+## Nomad 1.5.1
+
+#### Artifact Download Regression Fix
+
+Nomad 1.5.1 reverts a behavior of 1.5.0 where artifact downloads were executed
+as the `nobody` user on compatible Linux systems. This was done optimistically
+as defense against compromised artifact endpoints attempting to exploit the
+Nomad Client or tools it uses to perform downloads such as git or mercurial.
+Unfortunately running the child process as any user other than root is not
+compatible with the advice given in Nomad's [security hardening guide][hard_guide]
+which calls for a specific directory tree structure making such operation impossible.
+
+Other changes to artifact downloading remain - they are executed as a child
+process of the Nomad agent, and on modern Linux systems make use of the Kernel
+landlock feature to restrict filesystem access from that process.
+
 ## Nomad 1.5.0

 #### Pause Container Reconciliation Regression
@ -1691,3 +1707,4 @@ deleted and then Nomad 0.3.0 can be launched.
 [decompression_size_limit]: /nomad/docs/configuration/client#decompression_size_limit
 [artifact_env]: /nomad/docs/configuration/client#set_environment_variables
 [dangling_container_reconciliation]: /nomad/docs/drivers/docker#enabled
+[hard_guide]: /nomad/docs/install/production/requirements#hardening-nomad