Hi Simon, Simon Hobson writes:
> Olaf Meeuwissen <paddy-h...@member.fsf.org> wrote: > >> No idea whether systemd services run by non-system users makes sense but >> then again, lots of systemd probably doesn't make much sense. > > Do you mean "systemd service" as in "something that's part of > systemd"; or do you mean "something that's run by systemd" ? Assuming > the latter, doesn't lots of software run as non-system users - as a > basic part of good security practice ? You assumed correctly. Upon re-reading this myself, I agree I wasn't being very clear. Sorry. > I know some stuff (postfix, apache) starts as root and then drops > privileges for some/all of itself. Others just start as a > non-privileged user to start with (BIND) - is this actually done in > the script when using sysv, or does the daemon have to do it itself ? > I admit I only have a basic grasp of the details here. How this is done depends on the service. Some service actually need root privileges for a few things, e.g. binding to a port < 1024. The system users I was thinking of the ones created with adduser --system These aren't that different from "normal" users but typically have a UID in a certain range and are, by default, put in the nogroup. All these things *are* configurable btw and you can still force stuff (just open /etc/passwd et al. with your favourite text editor). So any kind of relying on certain "policies" being adhered to is winging it. > But thinking a bit more about the issue ... > Yes, this is a bug, and yes it shows the systemd people (especially > LP) up for the disdain they show for the basics of security, > good/defensive programming, etc. > But, sysv-init has much the same issue in that there's a shell script > run as root, I beg to differ. If you try to run a service as user '0day' from a sysv-init script, then you get the behaviour of implemented by - that service if it has provisions for running as a certain user - the wrapper that handles running something as a certain user, e.g. start-stop-daemon I don't know what that behaviour is but sure hope it won't decide to run as root if you try to run something with a "funny" name. > and if the user is able to manipulate that then he is able to do > things he shouldn't be able to. Playing devil's advocate, there's an > argument that the "complexity" of typical sysv scripts (at least as > shipped with distros like Debian) makes it a non-trivial task to spot > something slipped into the script. Perhaps the complexity came about as the result of trying to make one size fit all init systems or maybe over-engineering but, to be honest, I don't find the 65 /etc/init.d/* files (not counting README and skeleton) on my system to be too complex. Hope this helps, -- Olaf Meeuwissen, LPIC-2 FSF Associate Member since 2004-01-27 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13 F43E B8A4 A88A F84A 2DD9 Support Free Software https://my.fsf.org/donate Join the Free Software Foundation https://my.fsf.org/join _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
