Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[xenial] Manages PaX flags on Apache under Xenial #4114

Merged
merged 1 commit into from
Feb 12, 2019
Merged

[xenial] Manages PaX flags on Apache under Xenial #4114

merged 1 commit into from
Feb 12, 2019

Conversation

conorsch
Copy link
Contributor

@conorsch conorsch commented Feb 9, 2019

Status

Ready for review.

Description of Changes

Fixes #4110.

Changes proposed in this pull request:

Installs paxctld from distro repos under Xenial, edits the config in
place, and bounces the service. Using paxctld rather than paxctl to
ensure that flags are restored after security updates to the apache2
package via apt, which may occur outside the scope of SecureDrop
updates.

Includes changes to PaX flag management against Firefox (used for
testing) because paxctld ships with suitable flags for firefox already,
via the upstream config. Therefore we can stick to paxctl for Trusty,
but leverage paxctld under Xenial. Reminder that we plan to axe
the entire app-test role once we have external browser testing
working.

Testing

  1. make build-debs-xenial
  2. make staging-xenial
  3. Make a test submission, with both a text and file upload component.
  4. Confirm submission successful.

Deployment

Quite necessary for Xenial compatibility.

Checklist

If you made changes to the server application code:

  • Linting (make ci-lint) and tests (make -C securedrop test) pass in the development container

If you made changes to securedrop-admin:

  • Linting and tests (make -C admin test) pass in the admin development container

If you made changes to the system configuration:

If you made non-trivial code changes:

  • I have written a test plan and validated it for this PR

If you made changes to documentation:

  • Doc linting (make docs-lint) passed locally

Manages PaX flags on Apache under Xenial
01ac3e9 
Installs paxctld from distro repos under Xenial, edits the config in
place, and bounces the service. Using paxctld rather than paxctl to
ensure that flags are restored after security updates to the apache2
package via apt, which may occur outside the scope of SecureDrop
updates.

Includes changes to PaX flag management against Firefox (used for
testing) because paxctld ships with suitable flags for firefox already,
via the upstream config. Therefore we can stick to paxctl for Trusty,
but leverage paxctld under Xenial. Reminder that we plan to axe
the entire `app-test` role once we have external browser testing
working.
@conorsch
Copy link
Contributor Author

conorsch commented Feb 9, 2019

Reminder that the new flag enforcement logic is not present on apt-test; once this PR is approved and merged, we can build and push to facilitate upgrade testing.

@zenmonkeykstop
Copy link
Contributor

zenmonkeykstop commented Feb 10, 2019
edited
Loading

Tested on staging VMs as per plan, file uploads no longer generate the memprotect or temporaryfile errors (did see some larger file uploads fail but that's a known and unrelated issue)

Also removed and reinstalled apache2 on app-staging (as a naive way to test if pax flags are applied on new apache2 binary):

apt-get remove securedrop-app-code
apt-get remove apache2
apt-get install apache2
dpkg -i ~/securedrop-app-code_0.12.0~rc1+xenial_amd64.deb

File uploads continue to work afterwards.

emkll
emkll approved these changes Feb 11, 2019
View reviewed changes
Copy link
Contributor

@emkll emkll left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Local testing following the test plan looks good to me:

  • make build-debs-xenial
  • make staging-xenial
  • Make a test submission, with both a text and file upload component.
  • Confirm submission successful.

Furthermore, I can confirm that:

  • paxctld systemd service is running (and restarts on reboot)
  • all infra tests pass (since only trusty infra tests are run in ci)

As noted in the PR message, once this is merged we should rebuild packages and test the trusty->xenial upgrade scenario to ensure paxctld is installed when ./securedrop-admin install is invoked post-xenial-upgrade.
A couple of minor comments, which shouldn't block merge but might be worth exploring for maintainability:

  1. We are using paxctl elsewhere to handle PaX flags for grub binaries (https://github.com/freedomofpress/securedrop/blob/develop/install_files/ansible-base/roles/grsecurity/tasks/paxctl.yml). Would it make sense to open a ticket to consolidate the PaX flag management?

  2. paxctld by default installs a 97-line config file that sets PaX flags for binaries that either do not exist or do not require it. Would it be less risky for us to manage the paxctld.conf file, instead of relying on the default provided config and appending via postinst? (perhaps similar to what was done in the workstation context?: https://github.com/freedomofpress/securedrop-debian-packaging/tree/master/securedrop-workstation-svs-disp).

install_files/securedrop-app-code/debian/rules
@@ -5,7 +5,7 @@ DEB_DH_INSTALL_ARGS=-X .git
# Set distro-specific packages here, for interpolation in Depends field.
# All other deps can be reused, regardless of distro.
TRUSTY_DEPS=apache2-mpm-worker
XENIAL_DEPS=apache2
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Noting that paxctld is in the universe channel for xenial, but not in the security channel: https://packages.ubuntu.com/xenial/paxctld . Since the cron-apt logic uses only security as the source list (https://github.com/freedomofpress/securedrop/blob/develop/install_files/ansible-base/roles/common/files/5-security), the paxctld dependency will not be resolved if the package is upgraded via the unattended apt upgrades.

In the current upgrade scenario this should work work, since the first version of the xenial package will be installed via ./securedrop-admin install, once the app server has been upgraded to Xenial.

@emkll emkll mentioned this pull request Feb 11, 2019
Closed
@eloquence eloquence changed the title Manages PaX flags on Apache under Xenial [xenial] Manages PaX flags on Apache under Xenial Feb 11, 2019
kushaldas
kushaldas approved these changes Feb 12, 2019
View reviewed changes
Copy link
Contributor

@kushaldas kushaldas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • make build-debs-xenial
  • make staging-xenial
  • Make a test submission, with both a text and file upload component.
  • Confirm submission successful.

@conorsch conorsch merged commit c8db4a7 into develop Feb 12, 2019
@conorsch conorsch deleted the 4110-pax-flags-for-xenial-apache branch February 12, 2019 18:26
@emkll emkll mentioned this pull request Feb 14, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kushaldas kushaldas kushaldas approved these changes

@emkll emkll emkll approved these changes

@msheiny msheiny Awaiting requested review from msheiny

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@conorsch @zenmonkeykstop @kushaldas @emkll