[LEDE-DEV] running stuff as !root

[Radu Anghel]

On Wed, May 18, 2016 at 9:25 AM, John Crispin <john at phrozen.org> wrote:
>
> to elaborate, imagine dnsmasq running inside a jailm where ut only
> thinks it is root but is not in reality. also ld-preloading bind and
> connect would allow us to do pretty adavnced stuff like only allowing
> dnsmasq to open certain ports. essentially an acl around the
> bind/connect calls.
>

Doing this with a in-house developed daemon would introduce another
SPOF in the same way as running everyting with the same non-root user.
Imagine a security issue in such a daemon, it would affect *all*
daemons running through it.

This would also duplicate existing functionality (the code for
dropping privileges to a preconfigured user already exists in most
daemons, it is compiled as there is no --without-privileges-code
./configure option). Implementing different users with this approach
can be done in a few easy steps with minor to none added overhead:

step 1. add users to /etc/passwd (in the pre/post-install script
probably, trying to use same uid/gid as major distributions would be
nice)
step 2. add config option for user/group in the relevant /etc/config/ file
step 3. modify startup script to use the user/group options when
generating daemon config file
step 4. ???
step 5. PROFIT!

I understand there are trust issues about this functionality (don't
trust that the daemon really dropped all privileges), in such a case I
would use SELinux. SELinux can be enabled as "permissive" until a
proper policy is created for everything.

There are other things to consider also, because this is supposed to
run on embedded devices with as low as 4M flash space:

- SELinux would increase kernel size, thus making it hard to fit
inside the flash, or even bigger than the fixed kernel partition for
some devices.
- jails, containers and other options discussed require more
memory/CPU/flash space than is probably available on said devices.


Radu