On Wed, 18 May 2016, John Crispin wrote:
Hi,
we had previously started building the infra for running stuff as !root.
so far we have added
* the userid/gid stuff
* acl on ubus
things that i know are missing
* handling network ports < 1024
what am i missing ? can anyone think of other issues we need to address
before we change uid to !root ?
what things are you trying to run as !root?
just changing everything to run as user lede (uid 1) instead of root (uid 0)
doesn't actually buy much, especially if user lede is able to administer things
https://xkcd.com/1200/
you want to end up running different types of things as different users, and
there the permissions get more 'interesting'
there is a capability you can give to binaries to let them bind to ports < 1024,
there is also a proc setting you can use to let anything bind to ports < 1024.
There are various other things that will require capabilities to work (including
some versions of ping and traceroute), but it's a matter of fixing them as you
bump into them.
don't try to make everything run as the same !root user, migrate things one (or
at least one category) at a time.
David Lang
_______________________________________________
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev
