_FILE variable permission check does not follow symlinks #49653

pebrc · 2019-11-27T16:32:26Z

Elasticsearch version (bin/elasticsearch --version): 7.6.0-SNAPSHOT / 8.0.0-SNAPSHOT

Plugins installed: []

JVM version (java -version): official Docker image

OS version (uname -a if on a Unix-like system): official Docker image

Description of the problem including expected versus actual behavior:
#49182 introduces support for environment variables ending in _FILE to point to a file that will be read to create the value of an environment variable of the name minus the _FILE suffix. The startup script imposes strict permission checks on these files and requires them to have either 0400 or 0600 permissions.

On Kubernetes these sensitive files are typically mounted as so called Secrets into the docker container. That introduces an additional level of indirection with a symlink that has 0777 file permissions and therefore fails the checks in the Elasticsearch startup script.

The expected behaviour would be to check the permissions on the effective file after following symlinks instead.

Example shell session on an ECK managed Elasticsearch container to illustrate the problem:

[root@cluster1-es-default-0 elasticsearch]# ls -l /mnt/elastic-internal/probe-user/
total 0
lrwxrwxrwx 1 root root 29 Nov 27 15:55 elastic-internal-probe -> ..data/elastic-internal-probe
[root@cluster1-es-default-0 elasticsearch]# ls -l /mnt/elastic-internal/probe-user/..data/elastic-internal-probe 
-rw------- 1 root root 24 Nov 27 15:55 /mnt/elastic-internal/probe-user/..data/elastic-internal-probe

where /mnt/elastic-internal/proble-user is a volume mount of a k8s volume with the following definition:

  - name: elastic-internal-probe-user
    secret:
      defaultMode: 384
      items:
      - key: elastic-internal-probe
        path: elastic-internal-probe
      optional: false
      secretName: cluster1-es-internal-users

Note: defaultMode are the file permissions base 10 ie. 384 == 0600

Steps to reproduce:
Run Elasticsearch 7.6.0-SNAPSHOT on k8s with an environment variable ending in _FILE and a corresponding file mounted into the pod. Probably the easiest way to achieve that is to
run Elasticsearch on ECK 1.0.0-beta1 with this manifest:

apiVersion: elasticsearch.k8s.elastic.co/v1beta1                                                                                                                                                                      
kind: Elasticsearch                                                                                                                                                                                                   
metadata:                                                                                                                                                                                                             
  name: cluster1                                                                                                                                                                                                      
spec:                                                                                                                                                                                                                 
  image: my.private.docker/registry/elasticsearch:7.6.0-SNAPSHOT                                                                                                                                                              
  version: 7.6.0                                                                                                                                                                                                      
  nodeSets:                                                                                                                                                                                                           
  - count: 1                                                                                                                                                                                                          
    name: default                                                                                                                                                                                                     
    config:                                                                                                                                                                                                           
      node.store.allow_mmap: false

The text was updated successfully, but these errors were encountered:

elasticmachine · 2019-11-27T16:42:32Z

Pinging @elastic/es-core-infra (:Core/Infra/Packaging)

Closes elastic#49653. When using _FILE environment variables to supply values to Elasticsearch, following symlinks when checking that file permissions are secure.

Closes #49653. When using _FILE environment variables to supply values to Elasticsearch, following symlinks when checking that file permissions are secure.

Closes elastic#49653. When using _FILE environment variables to supply values to Elasticsearch, following symlinks when checking that file permissions are secure.

Backport of #50927. Closes #49653. When using _FILE environment variables to supply values to Elasticsearch, following symlinks when checking that file permissions are secure.

Closes elastic#49653. When using _FILE environment variables to supply values to Elasticsearch, following symlinks when checking that file permissions are secure.

pebrc changed the title ~~_FILE variable support causes issues on k8s~~ _FILE variable permission check does not follow symlinks Nov 27, 2019

This was referenced Nov 27, 2019

Elasticsearch support for _FILE environment variables breaks ECK readiness proble elastic/cloud-on-k8s#2177

Closed

Do not use env variables ending in _FILE with Elasticsearch elastic/cloud-on-k8s#2180

Merged

pugnascotia added the :Delivery/Packaging RPM and deb packaging, tar and zip archives, shell and batch scripts label Nov 27, 2019

pugnascotia added v7.6.0 v8.0.0 labels Nov 27, 2019

pugnascotia self-assigned this Nov 27, 2019

pugnascotia mentioned this issue Jan 13, 2020

Follow symlinks in Docker entrypoint #50927

Merged

$@polyfractal$ polyfractal added v7.7.0 and removed v7.6.0 labels Jan 15, 2020

pugnascotia closed this as completed in #50927 Jan 16, 2020

pugnascotia added a commit that referenced this issue Jan 16, 2020

Follow symlinks in Docker entrypoint (#50927)

0dfb72e

Closes #49653. When using _FILE environment variables to supply values to Elasticsearch, following symlinks when checking that file permissions are secure.

pugnascotia mentioned this issue Jan 16, 2020

Follow symlinks in Docker entrypoint #51101

Merged

pugnascotia mentioned this issue Jan 16, 2020

Follow symlinks in Docker entrypoint #51102

Merged

mark-vieira added the Team:Delivery Meta label for Delivery team label Nov 11, 2020

jakelandis added v8.0.0-alpha1 and removed v8.0.0 labels Jul 26, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

_FILE variable permission check does not follow symlinks #49653

_FILE variable permission check does not follow symlinks #49653

pebrc commented Nov 27, 2019 •

edited

Loading

elasticmachine commented Nov 27, 2019

_FILE variable permission check does not follow symlinks #49653

_FILE variable permission check does not follow symlinks #49653

Comments

pebrc commented Nov 27, 2019 • edited Loading

elasticmachine commented Nov 27, 2019

pebrc commented Nov 27, 2019 •

edited

Loading