Nomad: 'nomad alloc exec' with 'raw_exec' driver doesn't respect task 'user' field

Created on 28 Oct 2020  路  3Comments  路  Source: hashicorp/nomad

Using the following jobspec with the user field on the task :

job "example" {
  datacenters = ["dc1"]
  task "task1" {
    user   = "nobody"
    driver = "raw_exec"
    config {
      command = "/bin/sh"
      args    = ["-c", "sleep 600"]
    }
  }
}

The task runs as nobody, but nomad alloc exec is running as Nomad's user (root):

$ nomad job run ./example.nomad
==> Monitoring evaluation "d7265065"
    Evaluation triggered by job "example"
    Evaluation within deployment: "2f41957c"
    Allocation "07063d8a" created: node "6f2115ea", group "task3"
    Evaluation status changed: "pending" -> "complete"
==> Evaluation "d7265065" finished with status "complete"

$ nomad alloc exec 07063d8a whoami
root

$ nomad alloc logs c64d741d
nobody

Note that because in clusters with ACLs this requires the highly-privileged node-alloc-exec capability, which isn't included in the write coarse-grained capability and which is specifically warned as breaking filesystem isolation, there's no privilege escalation available here. It is a surprising behavior and one we want to have fixed.

But I've also double-checked that drivers like exec still give you nobody when you nomad alloc exec and those are working as expected.

themdriveraw_exec typbug
Source
picture tgross

All 3 comments

Can you please also support setting the user in Windows?

Please note that in Windows, you also need to define the password.

It would also be pretty interesting to support Group Managed Service Accounts and Local Service Accounts (these do not have a user managed password, as such, are more convenient to use). Please note these require the application to run (or be wrapped) as a Windows service.

rgl picture rgl on 22 Nov 2020

Can you please also support setting the user in Windows?

@rgl your suggestion looks unrelated to this issue, which is about the nomad alloc exec command specifically. If you have a feature request, open a new issue for that please.

tgross picture tgross on 23 Nov 2020
👍1

Indeed, I've now opened https://github.com/hashicorp/nomad/issues/9424.

rgl picture rgl on 23 Nov 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Gerrrr picture Gerrrr  路  3Comments
leowmjw picture leowmjw  路  3Comments
byronwolfman picture byronwolfman  路  3Comments
bdclark picture bdclark  路  3Comments
jippi picture jippi  路  3Comments