[LEDE-DEV] running stuff as !root

[David Lang]

On Wed, 18 May 2016, John Crispin wrote:

> On 18/05/2016 08:08, David Lang wrote:
>> On Wed, 18 May 2016, John Crispin wrote:
>>
>>> Hi,
>>>
>>> we had previously started building the infra for running stuff as !root.
>>> so far we have added
>>>
>>> * the userid/gid stuff
>>> * acl on ubus
>>>
>>> things that i know are missing
>>>
>>> * handling network ports < 1024
>>>
>>> what am i missing ? can anyone think of other issues we need to address
>>> before we change uid to !root ?
>>
>> what things are you trying to run as !root?
>
> services and daemons obviously
>
>> just changing everything to run as user lede (uid 1) instead of root
>> (uid 0) doesn't actually buy much, especially if user lede is able to
>> administer things https://xkcd.com/1200/
>>
>> you want to end up running different types of things as different users,
>> and there the permissions get more 'interesting'
>
> thanks for the pointer, that was totally not obvious at all ...
>
>> there is a capability you can give to binaries to let them bind to ports
>> < 1024, there is also a proc setting you can use to let anything bind to
>> ports < 1024.
>
> ok, there had been some discussion about building a super daemon that
> runs, then ld-preloading bind() and co and using ubus to transport
> sockets around. using caps or /proc sounds like a good i between until
> such a daemon exists
>
>>
>> There are various other things that will require capabilities to work
>> (including some versions of ping and traceroute), but it's a matter of
>> fixing them as you bump into them.
>
> yes, but i'll try those on my journey.
>
>> don't try to make everything run as the same !root user, migrate things
>> one (or at least one category) at a time.
>
> thanks for the pointer, that was totally not obvious at all ...

I've seen a lot of professional security peopel fall into these traps, they 
aren't obvious to everyone.

David Lang