Commit f146761d authored by André Anjos's avatar André Anjos 💬

[doc] Document how to improve security on the worker ecosystem

parent 14b639a1
Pipeline #1963 passed with stage
......@@ -372,10 +372,35 @@ concerning these. We provide only some tips which we consider important:
- The scheduler needs read/write access to the cache directory. It does
not use the prefix directory and does not read or treat user
contributions. The scheduler also need access to the Django database.
- The workers need read/write access to the cache directory and read
access to the prefix directory.
access to the prefix directory. The workers also need access to the
Django database.
- The processes launched by the worker need to have similar permissions
as their worker. The user executable though, should have demoted
permissions to increase security. For example, no need to access the
Django database (or the settings file), the prefix or the cache. All is
done via the parent process. In order to implement this, the easiest is
to make sure the worker process is run by an unpriviledged user and a
group with the right access permissions, allowing it to access the
Django database (and the Django settings file), the prefix and the
cache. This will be inherited by the processes launched by the worker,
that will serve data to the processes wrapping the user code. To demote
the user process, just set the group id of the environment executable
to an unpriviledged group. This way, the following security chain is
achieved (pseudo user/groups)::
worker -> process -> environment exec(user code)
[nobody:beat] [nobody:beat] [nobody:nogroup]
It is a requirement by the BEAT platform that this process chain
belongs to the same user. Signals for stopping or killing the
applications in the chain if necessary.
If you don't do anything, then the user code will be run in a process
with the same privileges as the worker application.
* E-mail privileges: e-mailing maybe configured as part of the Django_
standard logging facilities or used to report experiment completion and
......@@ -59,9 +59,3 @@ Experiments
* Make sure to remove any spurious logs from the beat.scheduler before
introducing stdout/stderr components to the experiment view
* Support for launching user process under a different user name
Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment