Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NAS-130198 / 24.10 / Remove check for whether localhost connection is root #14068

Merged
merged 1 commit into from
Jul 25, 2024
Merged

NAS-130198 / 24.10 / Remove check for whether localhost connection is root #14068

merged 1 commit into from
Jul 25, 2024

Conversation

anodos325
Copy link
Contributor

We don't use this functionality internally and it's a potential security liability if someone decides to set up their own internal proxy to middlewared socket that's running as root, or if an application allows root account and has access to host networking.

@anodos325 anodos325 force-pushed the remove-root-tcpip-handling branch from 2955960 to 44c42f9 Compare July 23, 2024 20:13
@anodos325 anodos325 added jira and removed pending QA labels Jul 23, 2024
@anodos325 anodos325 requested a review from a team July 23, 2024 20:36
@bugclerk
Copy link
Contributor

Jira URL: https://ixsystems.atlassian.net/browse/NAS-130198

@bugclerk bugclerk changed the title Remove check for whether localhost connection is root NAS-130198 / 24.10 / Remove check for whether localhost connection is root Jul 23, 2024
@anodos325 anodos325 requested a review from yocalebo July 23, 2024 20:36
@yocalebo yocalebo requested a review from themylogin July 24, 2024 12:35
yocalebo
yocalebo approved these changes Jul 24, 2024
View reviewed changes
Copy link
Contributor

@yocalebo yocalebo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm okay with this, but please wait for @themylogin to give it a once over before merge.

themylogin
themylogin requested changes Jul 24, 2024
View reviewed changes
Copy link
Contributor

@themylogin themylogin left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can remove get_peer_process definition and RootTcpSocketSessionManagerCredentials class, these are not used by anything else

themylogin
themylogin requested changes Jul 24, 2024
View reviewed changes
tests/api2/test_ip_auth.py Outdated Show resolved Hide resolved
@anodos325
Remove check for whether localhost connection is root
0673f0d 
We don't use this functionality internally and it's a potential
security liability if someone decides to set up their own internal
proxy to middlewared socket that's running as root.
@anodos325 anodos325 force-pushed the remove-root-tcpip-handling branch from e2cba56 to 0673f0d Compare July 25, 2024 11:41
@anodos325 anodos325 requested a review from themylogin July 25, 2024 11:42
@anodos325 anodos325 merged commit 676ac40 into master Jul 25, 2024
3 checks passed
@anodos325 anodos325 deleted the remove-root-tcpip-handling branch July 25, 2024 13:22
@bugclerk bugclerk mentioned this pull request Jul 25, 2024
Merged
@bugclerk
Copy link
Contributor

This PR has been merged and conversations have been locked.
If you would like to discuss more about this issue please use our forums or raise a Jira ticket.

@truenas truenas locked as resolved and limited conversation to collaborators Jul 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@bmeagherix bmeagherix bmeagherix approved these changes

@yocalebo yocalebo yocalebo approved these changes

@themylogin themylogin themylogin approved these changes

Assignees
No one assigned
Labels
backport-24.10.0.1 backported jira no-time-tracked
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@anodos325 @bugclerk @themylogin @yocalebo @bmeagherix