[LEDE-DEV] running stuff as !root
David Lang
david at lang.hm
Tue May 17 23:08:08 PDT 2016
On Wed, 18 May 2016, John Crispin wrote:
> Hi,
>
> we had previously started building the infra for running stuff as !root.
> so far we have added
>
> * the userid/gid stuff
> * acl on ubus
>
> things that i know are missing
>
> * handling network ports < 1024
>
> what am i missing ? can anyone think of other issues we need to address
> before we change uid to !root ?
what things are you trying to run as !root?
just changing everything to run as user lede (uid 1) instead of root (uid 0)
doesn't actually buy much, especially if user lede is able to administer things
https://xkcd.com/1200/
you want to end up running different types of things as different users, and
there the permissions get more 'interesting'
there is a capability you can give to binaries to let them bind to ports < 1024,
there is also a proc setting you can use to let anything bind to ports < 1024.
There are various other things that will require capabilities to work (including
some versions of ping and traceroute), but it's a matter of fixing them as you
bump into them.
don't try to make everything run as the same !root user, migrate things one (or
at least one category) at a time.
David Lang
More information about the Lede-dev
mailing list