Security Dependencies

Installing the Template Builder Security Configuration

To install and configure Template Builder security dependencies:

1. Make sure the following shell utilities are installed. These are all likely to be installed already.

   yum -y install sudo glibc-common coreutils
   

2. Verify the user used to run the server (usually pronghorn) is permitted to run sudo chroot without a password prompt. An example command which accomplishes this is shown below, but the system administrator is expected to tailor these commands to their needs. As long as the server is permitted to run chroot through sudo without a password prompt, Template Builder can sandbox Jinja2 template execution.

   echo "pronghorn ALL=(ALL) NOPASSWD: $(command -v chroot)" >> /etc/sudoers.d/itential
   

3. Make sure Template Builder is permitted to copy in all dependencies required by Python. These dependencies are those output by the ldd command, as well as all paths in Python's internal sys.path constant. If file permissions prevent Template Builder from copying these files into its chroot jail directory, Python will not be able to execute within the sandbox subshell and Template Builder will fall back to executing in insecure mode.

Testing the Template Builder Security Configuration

To test the Template Builder security configuration:

1. Ensure IAP is running.
2. Examine the logs. Template Builder will report that it is creating a sandbox directory for Jinja2 template execution, and when it is finished, it will report either the success or failure of the process. On the first run of the server, this will likely take several minutes, and Template Builder will report back to API requests that it is still initializing until it is finished.
3. Once Template Builder has finished initializing the sandbox directory, run a Jinja2 template.
4. Examine the server logs and look to make sure there are no warnings stating that Jinja2 execution is running in insecure mode.