Community Packages

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#15115 - [quassel] Quasselcore runs as root through init script.

Attached to Project: Community Packages
Opened by Pieter Steyn (appel) - Monday, 15 June 2009, 18:37 GMT
Last edited by Vesa Kaihlavirta (vegai) - Friday, 05 February 2010, 10:20 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Vesa Kaihlavirta (vegai)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:Potentially insecure initscript.


Additional info:
* all package versions.
* default config.


Steps to reproduce:

The quassel init script starts the quasselcore as root.
I don't think there are any known vulnerabilities yet, but running IRC as root is never a good idea.
This task depends upon

Closed by  Vesa Kaihlavirta (vegai)
Friday, 05 February 2010, 10:20 GMT
Reason for closing:  Fixed
Comment by Pieter Steyn (appel) - Monday, 15 June 2009, 18:39 GMT
I'd suggest just creating a quassel user and group and running quasselcore as that user.
Comment by Pieter Steyn (appel) - Wednesday, 01 July 2009, 07:39 GMT
So?

Also, I'm curious as to how this is a 'feature request' and not a 'bug report'. An init script running an irc client as ROOT is clearly a bug, and should remain a bug report.

Thanks.
Comment by Pieter Steyn (appel) - Wednesday, 01 July 2009, 10:50 GMT
(Sorry if I seem rude, I'm being genuine though.)
Comment by Ionut Biru (wonder) - Monday, 06 July 2009, 14:47 GMT
you could provide a patch if you want this to be fixed
Comment by Vesa Kaihlavirta (vegai) - Wednesday, 28 October 2009, 08:07 GMT
Would the 'nobody' user be good enough, or do we need a new user for this (which I'd rather not do)
Comment by Gavin Bisesi (Daenyth) - Wednesday, 11 November 2009, 16:01 GMT
"nobody" would work as a quick fix, but it should be done properly with a dedicated user.
Comment by Gaetan Bisson (vesath) - Friday, 11 December 2009, 11:04 GMT
I attempted to fix that issue in my quassel-light package (quassel without KDE); see
http://aur.archlinux.org/packages.php?ID=24922
Feedback is welcome!
Comment by Ray Rashif (schivmeister) - Saturday, 26 December 2009, 08:50 GMT
In cases like this, the user would be defined and exported via the conf.d file, after which the startup command should use the variable:

http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-irc/quassel/files/quasselcore-2.conf?rev=1.1&view=markup
http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-irc/quassel/files/quasselcore-2.init?rev=1.1&view=markup

A similar issue here:  FS#15102 
Comment by Vesa Kaihlavirta (vegai) - Thursday, 04 February 2010, 12:57 GMT
Thanks, Gaetan. I'm adapting parts of your diffs in quassel-light to quassel.

Comment by Ionut Biru (wonder) - Thursday, 04 February 2010, 13:17 GMT
vegai you can look at deluge too. i don't like the sudo part and i would prefer su -l -c "command" $user
Comment by Vesa Kaihlavirta (vegai) - Thursday, 04 February 2010, 14:18 GMT
Modified to use su (this required changing shell of quassel user to /bin/sh though), and added /etc/conf.d/quassel.

Gaetan, adapt quassel-light as you see fit.

0.5.2-1 coming soon
Comment by Gaetan Bisson (vesath) - Thursday, 04 February 2010, 15:49 GMT
Thanks Vesa and Ionut for your comments; I've adopted most of your suggestions in quassel-light.

Vesa, maybe add a backup entry for /etc/conf.d/quassel?
Comment by Vesa Kaihlavirta (vegai) - Thursday, 04 February 2010, 16:16 GMT
Indeed, I'll do that.
Comment by Vesa Kaihlavirta (vegai) - Friday, 05 February 2010, 10:20 GMT
-2 uploaded

Loading...