add deprecation warning for allow_superuser: true
#16555
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -482,8 +482,17 @@ def execute | |
|
|
||
| def running_as_superuser | ||
| if Process.euid() == 0 | ||
| unless @settings.set?("allow_superuser") | ||
| deprecation_logger.deprecated("WARNING: You are currently running Logstash with superuser privileges. " + | ||
| "Starting from version 9, this will be disabled by default. " + | ||
| "To avoid disruption during the upgrade, set 'allow_superuser' to true now if you wish to continue running as superuser temporarily after the upgrade. " + | ||
| "Note that this is not recommended for security reasons.") | ||
| end | ||
|
|
||
| if setting("allow_superuser") | ||
| deprecation_logger.deprecated("NOTICE: Running Logstash as superuser will be completely disallowed in future versions. " + | ||
| "To prepare for this and avoid startup errors in future releases, it is strongly recommended to set 'allow_superuser' to false now " + | ||
|
There was a problem hiding this comment. @karenzone please also consider this message. Both deprecation logs can print together. |
||
| "and adjust your configuration accordingly.") | ||
| else | ||
| raise(RuntimeError, "Logstash cannot be run as superuser.") | ||
| end | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would a bit simplify the statement.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@karenzone could you suggest how to do the deprecation communication? We want to suggest user to set 'allow_superuser' to true now for preparing v9 upgrade. The setting is optional at this moment, I am not sure how to deliver the message.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@karenzone We are changing the behaviour when someone attempts to run Logstash as a superuser.
Running Logstash as a superuser is not recommended for security reasons, as it breaks the "Principle of Least Privilege", and increases any potential attack surface.
The current behaviour is to allow users to run as as a superuser by default, adding a setting
allow_superuser:falseto lock that down that has to be done specifically, potentially leading to a situation where Logstash could be run as root inadvertently.In
9.0, we are going to switch the behaviour such that it has to be a conscious decision to allow Logstash to be run as a "superuser" that the user has to allow explicitly by settingallow_superusertotrueThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the ping and clarification, @kaisecheng and @robbavey. I'll take a look.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the question and the additional clarification. It seems like @mashhurs is on the right track with his suggestion. I started with his suggestion and iterated on it.
Does this achieve your goals:
"Starting from version 9, running with superuser privileges is not permitted unless you explicitly set 'allow_superuser' to true, thereby acknowledging the possible security risks."
If not, please let me know and we'll get it right.