Page MenuHomePhorge
Create Task
Maniphest T971

setuid/setgid effective permissions for running process(es)
Open, NormalPublic
Actions

Description

Guam is currently started as root, because the filesystem POSIX permissions on certificates, and the ports to which to bind to, are privileged.

The intention is to read in the certificates and keys with privileges, at startup, bind to the necessary ports, and drop privileges handling the actual connections.

In another model (httpd), the listener process maintain their privileges so they are the only processes eligible to write to log files (and not the individual child process that serves the visitor request).

Details

Ticket Type
Task

Related Objects
Search...

Event Timeline

vanmeeuwen created this task.Feb 2 2016, 2:05 PM
vanmeeuwen raised the priority of this task from to 60.
vanmeeuwen updated the task description. (Show Details)
vanmeeuwen added projects: Guam, Kolab 16, Winterfell.
vanmeeuwen changed Ticket Type from Task to Task.
vanmeeuwen subscribed.
vanmeeuwen mentioned this in rGf917c2cceb2c: Stop switching to user/group guam. Ref. T971.Feb 2 2016, 2:07 PM
vanmeeuwen mentioned this in rGbdea873af6dd: Stop switching to user/group guam. Ref. T971.
vanmeeuwen added a parent task: T995: Run Guam in Beta.Feb 24 2016, 7:54 AM
eliasp subscribed.Mar 3 2016, 8:48 AM

Wouldn't it make more sense to use [CapabilityBoundingSet=](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=) instead and keep it running as guam user?

An alternative could be to use setcap instead of suid - suid is a rather "brute-force" approach which has to rely on the process properly dropping its privileges on its own, while CapabilityBoundingSet=/setcap allow to selectively assign privileges to a binary (setcap) or process (CapabilityBoundingSet=).

vanmeeuwen added a project: Kolab Enterprise 14 - Extras Audit.Mar 10 2016, 3:50 PM
seigo mentioned this in rG9d56223f2e77: Stop switching to user/group guam. Ref. T971.Jun 7 2016, 4:40 PM
seigo moved this task from Backlog to Pending on the Guam board.Dec 13 2016, 2:01 PM
pasik subscribed.Nov 25 2017, 2:40 PM
vanmeeuwen lowered the priority of this task from 60 to Normal.Mar 28 2019, 8:13 AM