Univention Bugzilla – Bug 51241
S4C should not run as root
Last modified: 2020-05-07 19:02:34 CEST
Running services needlessly as user "root" is a CWE-272 violation of the "Principle of least privilege". # ps u $(pgrep -f univention.s4connector.s4.main) USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 6465 0.4 7.0 756620 71756 ? S Mai05 13:49 /usr/bin/python2.7 -W ignore -m univention.s4connector.s4.main # /usr/lib/pymodules/python2.7/univention/s4connector/s4/main.py # lsof -p $(pgrep -f univention.s4connector.s4.main) -a -d 3-65535 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME /usr/bin/ 6465 root 3u REG 0,21 0 24388 /run/lock/univention-s4-connector /usr/bin/ 6465 root 4u REG 254,0 14441123 527075 /var/log/univention/connector-s4-status.log /usr/bin/ 6465 root 5w CHR 1,3 0t0 1028 /dev/null /usr/bin/ 6465 root 6u REG 254,0 10168169 543506 /var/log/univention/connector-s4.log /usr/bin/ 6465 root 7u REG 254,0 10168169 543506 /var/log/univention/connector-s4.log /usr/bin/ 6465 root 8u REG 254,0 131072 1573396 /etc/univention/connector/s4internal.sqlite /usr/bin/ 6465 root 9u REG 254,0 114688 1573397 /etc/univention/connector/s4cache.sqlite /usr/bin/ 6465 root 10u REG 254,0 20480 1571704 /etc/univention/connector/lockingdb.sqlite /usr/bin/ 6465 root 11u IPv4 629427 0t0 TCP m34.phahn.dev:55466->m34.phahn.dev:7389 (ESTABLISHED) /usr/bin/ 6465 root 12u unix 0xffff9df7b8737400 0t0 629433 type=STREAM From my understanding S4C does not open any privileged ports, writes files in arbitrary locations, .. As such the service should not run as user "root" but use a dedicated local user account.
> From my understanding S4C does not open any privileged ports, writes files in arbitrary locations, .. It does: root@master10:~# ucr search --brief connector/s4/ldap/protocol connector/s4/ldap/socket connector/s4/ldap/protocol: ldapi connector/s4/ldap/socket: /var/lib/samba/private/ldap_priv/ldapi
(In reply to Arvid Requate from comment #1) > > From my understanding S4C does not open any privileged ports, writes files in arbitrary locations, .. Clarification: *TCP/UDP* ports < 1024 > It does: > > root@master10:~# ucr search --brief connector/s4/ldap/protocol > connector/s4/ldap/socket > connector/s4/ldap/protocol: ldapi > connector/s4/ldap/socket: /var/lib/samba/private/ldap_priv/ldapi Disclaimer: not checked by me but theoretically ... chown "user-for-s4v:or-some-group" /var/lib/samba/private/ldap_priv{,/ldapi} chmod ug+rwX /var/lib/samba/private/ldap_priv{,/ldapi} or a variant using "setfacl" for POSIX ACLs should do the trick as long as Samba itself does not implement/user an authentication mechanism itself: For UNIX domain sockets you can query the Linux kernel for information about the connecting client and get its PID/UID/GID ... See <man:unix(7)> Running services as "root" leads to inflation: Because Samba runs as "root", now other services like BIND and s4C must run as "root" as well to be able to communicate with it. See your own Bug #25358 comment 12 Running services as "root" should not be the norm, but an explicit exception and especially no excuse for taking the easy road by not implementing proper permissions. (this read this as "finger-pointing", but as "we should improve that" someday - I did those errors too in the past and have learned since then)
I'm not opposing, just clarifying dependencies.