Merge pull request #3785 from sergey-v-galtsev/match-process-euid-against-data-owner

Match the process' effective user id against the data owner at the server startup.

dbms/programs/server/Server.cpp

@@ -2,7 +2,11 @@
 
 #include <memory>
 #include <sys/resource.h>
+#include <sys/stat.h>
+#include <sys/types.h>
 #include <errno.h>
+#include <pwd.h>
+#include <unistd.h>
 #include <Poco/Version.h>
 #include <Poco/DirectoryIterator.h>
 #include <Poco/Net/HTTPServer.h>
@@ -70,6 +74,8 @@ namespace ErrorCodes
     extern const int EXCESSIVE_ELEMENT_IN_CONFIG;
     extern const int INVALID_CONFIG_PARAMETER;
     extern const int SYSTEM_ERROR;
+    extern const int FAILED_TO_GETPWUID;
+    extern const int MISMATCHING_USERS_FOR_PROCESS_AND_DATA;
 }
 
 
@@ -83,6 +89,26 @@ static std::string getCanonicalPath(std::string && path)
     return std::move(path);
 }
 
+static std::string getUserName(uid_t user_id)
+{
+    /// Try to convert user id into user name.
+    auto buffer_size = sysconf(_SC_GETPW_R_SIZE_MAX);
+    if (buffer_size <= 0)
+        buffer_size = 1024;
+    std::string buffer;
+    buffer.reserve(buffer_size);
+
+    struct passwd passwd_entry;
+    struct passwd * result = nullptr;
+    const auto error = getpwuid_r(user_id, &passwd_entry, buffer.data(), buffer_size, &result);
+
+    if (error)
+        throwFromErrno("Failed to find user name for " + toString(user_id), ErrorCodes::FAILED_TO_GETPWUID, error);
+    else if (result)
+        return result->pw_name;
+    return toString(user_id);
+}
+
 void Server::uninitialize()
 {
     logger().information("shutting down");
@@ -166,6 +192,27 @@ int Server::main(const std::vector<std::string> & /*args*/)
     std::string path = getCanonicalPath(config().getString("path", DBMS_DEFAULT_PATH));
     std::string default_database = config().getString("default_database", "default");
 
+    /// Check that the process' user id matches the owner of the data.
+    const auto effective_user_id = geteuid();
+    struct stat statbuf;
+    const auto effective_user = getUserName(effective_user_id);
+    if (stat(path.c_str(), &statbuf) == 0 && effective_user_id != statbuf.st_uid)
+    {
+        const auto effective_user = getUserName(effective_user_id);
+        const auto data_owner = getUserName(statbuf.st_uid);
+        std::string message = "Effective user of the process (" + effective_user +
+            ") does not match the owner of the data (" + data_owner + ").";
+        if (effective_user_id == 0)
+        {
+            message += " Run under 'sudo -u " + data_owner + "'.";
+            throw Exception(message, ErrorCodes::MISMATCHING_USERS_FOR_PROCESS_AND_DATA);
+        }
+        else
+        {
+            LOG_WARNING(log, message);
+        }
+    }
+
     global_context->setPath(path);
 
     /// Create directories for 'path' and for default database, if not exist.

dbms/src/Common/ErrorCodes.cpp

@@ -403,6 +403,8 @@ namespace ErrorCodes
     extern const int NULL_POINTER_DEREFERENCE = 426;
     extern const int CANNOT_COMPILE_REGEXP = 427;
     extern const int UNKNOWN_LOG_LEVEL = 428;
+    extern const int FAILED_TO_GETPWUID = 429;
+    extern const int MISMATCHING_USERS_FOR_PROCESS_AND_DATA = 430;
 
     extern const int KEEPER_EXCEPTION = 999;
     extern const int POCO_EXCEPTION = 1000;

dbms/tests/integration/test_match_process_uid_against_data_owner/configs/config.xml

@@ -0,0 +1,17 @@
+<?xml version="1.0"?>
+<yandex>
+    <logger>
+        <log>/var/log/clickhouse-server/log.log</log>
+        <errorlog>/var/log/clickhouse-server/clickhouse-server.err.log</errorlog>
+        <stderr>/var/log/clickhouse-server/stderr.log</stderr>
+        <stdout>/var/log/clickhouse-server/stdout.log</stdout>
+    </logger>
+
+    <tcp_port>9000</tcp_port>
+    <listen_host>127.0.0.1</listen_host>
+
+    <path>/var/lib/clickhouse/</path>
+
+    <mark_cache_size>5368709120</mark_cache_size>
+    <users_config>users.xml</users_config>
+</yandex>

dbms/tests/integration/test_match_process_uid_against_data_owner/configs/users.xml

@@ -0,0 +1,7 @@
+<?xml version="1.0"?>
+<yandex>
+    <profiles>
+        <default>
+        </default>
+    </profiles>
+</yandex>

dbms/tests/integration/test_match_process_uid_against_data_owner/test.py

@@ -0,0 +1,37 @@
+import docker
+import os
+import pwd
+import pytest
+import re
+
+from helpers.cluster import ClickHouseCluster, CLICKHOUSE_START_COMMAND
+
+
+def test_different_user():
+    current_user_id = os.getuid()
+
+    if current_user_id != 0:
+        return
+
+    other_user_id = pwd.getpwnam('nobody').pw_uid
+
+    cluster = ClickHouseCluster(__file__)
+    node = cluster.add_instance('node')
+
+    cluster.start()
+
+    docker_api = docker.from_env().api
+    container = node.get_docker_handle()
+    container.stop()
+    container.start()
+    container.exec_run('chown {} /var/lib/clickhouse'.format(other_user_id), privileged=True)
+    container.exec_run(CLICKHOUSE_START_COMMAND)
+
+    cluster.shutdown() # cleanup
+
+    with open(os.path.join(node.path, 'logs/clickhouse-server.err.log')) as log:
+        expected_message = "Effective user of the process \(.*\) does not match the owner of the data \(.*\)\. Run under 'sudo -u .*'\."
+        last_message = log.readlines()[-1].strip()
+
+        if re.search(expected_message, last_message) is None:
+            pytest.fail('Expected the server to fail with a message "{}", but the last message is "{}"'.format(expected_message, last_message))