FS#64874 - [bird] run bird as a normal user
Attached to Project:
Arch Linux
Opened by Tim (bastelfreak) - Tuesday, 17 December 2019, 14:52 GMT
Last edited by Sébastien Luttringer (seblu) - Monday, 26 April 2021, 21:27 GMT
Opened by Tim (bastelfreak) - Tuesday, 17 December 2019, 14:52 GMT
Last edited by Sébastien Luttringer (seblu) - Monday, 26 April 2021, 21:27 GMT
|
Details
Description: Our bird service file starts the daemon as
root. I expected that it runs as a normal user (not sure if
this classifies as a bug / security incident).
Additional info: * package version(s) 2.0.7-1 * config and/or log files etc. The current service file: [Unit] Description=BIRD routing daemon After=network.target [Service] Type=forking ExecStart=/usr/bin/bird ExecReload=/usr/bin/birdc configure ExecStop=/usr/bin/birdc down [Install] WantedBy=multi-user.target I did some tests and think the following unit file makes more sense (and it works for me): [Unit] Description=BIRD Internet Routing Daemon Wants=network-online.target After=network-online.target [Service] Type=simple ExecStart=/usr/bin/bird -f -u bird -g bird ExecReload=/usr/bin/birdc configure ExecStop=/usr/bin/birdc down Restart=on-failure [Install] WantedBy=multi-user.target (the package needs to be updated to also create a bird user) |
Closed by Sébastien Luttringer (seblu)
Monday, 26 April 2021, 21:27 GMT
Reason for closing: Implemented
Additional comments about closing: 2.0.8-3
Monday, 26 April 2021, 21:27 GMT
Reason for closing: Implemented
Additional comments about closing: 2.0.8-3
while on it, it would make sense to define hardening settings for the unit as well
I guess we could use a dynamic user and harden the unit and grant it CAP_NET_ADMIN for network stuff.
I didn't assigned a global static uid/gid pair to bird, as it's not required until you need to set permissions on the control socket. When this is required (like by Tim usage), the root user could create a static local group named bird to add allowed local users into the group to give them socket rw access.
As a side note, build tools has been fixed upstream so we can now use them like with other packages.
Let me know if something is broken or worse.