Univention Bugzilla – Bug 48604
univention-management-console-server runs as root
Last modified: 2023-06-09 16:40:08 CEST
Running network facing services needlessly as user "root" is a CWE-272 violation of the "Principle of least privilege". # lsof -u 0 -a -i COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME ... univentio 18511 root 10u IPv4 3824598 0t0 TCP localhost:8090 (LISTEN) # ps wwwu 18511 USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 18511 0.1 3.6 1319264 37040 ? Sl Feb02 5:31 /usr/bin/python2.7 /usr/sbin/univention-management-console-web-server start This is less critical as the service only is only bound to "localhost". My understanding is - that the service only bridges between the apache2 frontend and the u-m-c-server backend. - does not open any privileged files or ports (except /etc/machine.secret to establish an LDAP machine connection) Nevertheless the service should not run as user "root" but use a dedicated local user account.
Yes, we should improove that. Another thing to consider then is that the directory for file uploads needs to be adjusted so that only a lower-priviledged "UMC" user can write to it.
Since Bug #46270 the UMC-Webserver requires a machine connection. This has to be solved differently. Also the UMC-Webserver has access to the SAML certificates which is currently only possible as root. This needs to be changed to a specific user then.
Philipp Hahn in https://git.knut.univention.de/univention/ucs/-/merge_requests/137#note_57438 We should really stop running services as root just because they need to access some other resources owned by or accessible only to root. I guess /etc/machine.secret or such here. Instead we probably should start doing this: - [ ] create a group for accessing that file: addgroup --quiet --system ucs-machine - [ ] use that group for the file: MS='/etc/machine.secret' && chgrp ucs-machine "$MS" && chmod 0640 "$MS" - [ ] Adapt univention-join (https://git.knut.univention.de/univention/ucs/-/blob/5.0-1/management/univention-join/univention-join#L716) to use root:ucs-machine 0640 - also called for PrimaryDC? - [x] check that server_password_change (https://git.knut.univention.de/univention/ucs/-/blob/5.0-1/base/univention-server/server_password_change#L130-131) preserves the changed permissions - [ ] Adapt diagnostic/plugins/31_file_permissions.py (https://git.knut.univention.de/univention/ucs/-/blob/5.0-1/management/univention-management-console-module-diagnostic/umc/python/diagnostic/plugins/31_file_permissions.py#L132) to expect root:ucs-machine 0640 - [ ] create a specific user in debian/umc-web-server.postinst (https://git.knut.univention.de/univention/ucs/-/blob/5.0-1/management/univention-management-console/debian/univention-management-console-web-server.postinst): adduser --quiet --system --home /var/lib/univention-management-console-web-server --shell /bin/false --ingroup ucs-machine --disabled-password --disabled-login --gecos 'Univention Management Console Web Server Account' umc-web - [ ] use that user umc-web here
Note that we are using pam-unix in the PAM stack which is running in the UMC-Server process. This requires access to /etc/shadow.
(In reply to Florian Best from comment #4) > Note that we are using pam-unix in the PAM stack which is running in the > UMC-Server process. This requires access to /etc/shadow. Either adduser umc-web shadow or --ingroup shadow when `adduser … umc-web` is done in debian/umc-web-server.postinst
Bug #43633 unified umc-web-server and umc-server. Still running as root.