:: Re: [DNG] systemd allows elevated a…
Góra strony
Delete this message
Reply to this message
Autor: Olaf Meeuwissen
Data:  
Dla: Simon Hobson
CC: dng
Temat: Re: [DNG] systemd allows elevated access from unit files?
Hi Simon,

Simon Hobson writes:

> Olaf Meeuwissen <paddy-hack@???> wrote:
>
>> No idea whether systemd services run by non-system users makes sense but
>> then again, lots of systemd probably doesn't make much sense.
>
> Do you mean "systemd service" as in "something that's part of
> systemd"; or do you mean "something that's run by systemd" ? Assuming
> the latter, doesn't lots of software run as non-system users - as a
> basic part of good security practice ?


You assumed correctly. Upon re-reading this myself, I agree I wasn't
being very clear. Sorry.

> I know some stuff (postfix, apache) starts as root and then drops
> privileges for some/all of itself. Others just start as a
> non-privileged user to start with (BIND) - is this actually done in
> the script when using sysv, or does the daemon have to do it itself ?
> I admit I only have a basic grasp of the details here.


How this is done depends on the service. Some service actually need
root privileges for a few things, e.g. binding to a port < 1024.

The system users I was thinking of the ones created with

adduser --system

These aren't that different from "normal" users but typically have a UID
in a certain range and are, by default, put in the nogroup. All these
things *are* configurable btw and you can still force stuff (just open
/etc/passwd et al. with your favourite text editor). So any kind of
relying on certain "policies" being adhered to is winging it.

> But thinking a bit more about the issue ...
> Yes, this is a bug, and yes it shows the systemd people (especially
> LP) up for the disdain they show for the basics of security,
> good/defensive programming, etc.


> But, sysv-init has much the same issue in that there's a shell script
> run as root,


I beg to differ. If you try to run a service as user '0day' from a
sysv-init script, then you get the behaviour of implemented by

- that service if it has provisions for running as a certain user
- the wrapper that handles running something as a certain user,
e.g. start-stop-daemon

I don't know what that behaviour is but sure hope it won't decide to
run as root if you try to run something with a "funny" name.

> and if the user is able to manipulate that then he is able to do
> things he shouldn't be able to. Playing devil's advocate, there's an
> argument that the "complexity" of typical sysv scripts (at least as
> shipped with distros like Debian) makes it a non-trivial task to spot
> something slipped into the script.


Perhaps the complexity came about as the result of trying to make one
size fit all init systems or maybe over-engineering but, to be honest, I
don't find the 65 /etc/init.d/* files (not counting README and skeleton)
on my system to be too complex.

Hope this helps,
--
Olaf Meeuwissen, LPIC-2            FSF Associate Member since 2004-01-27
 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13  F43E B8A4 A88A F84A 2DD9
 Support Free Software                        https://my.fsf.org/donate
 Join the Free Software Foundation              https://my.fsf.org/join