Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#64874 - [bird] run bird as a normal user

Attached to Project: Arch Linux
Opened by Tim (bastelfreak) - Tuesday, 17 December 2019, 14:52 GMT
Last edited by Sébastien Luttringer (seblu) - Tuesday, 19 May 2020, 23:13 GMT
Task Type Feature Request
Category Security
Status Assigned   Reopened
Assigned To Sébastien Luttringer (seblu)
Levente Polyak (anthraxx)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No

Details

Description: Our bird service file starts the daemon as root. I expected that it runs as a normal user (not sure if this classifies as a bug / security incident).


Additional info:
* package version(s)
2.0.7-1
* config and/or log files etc.

The current service file:
[Unit]
Description=BIRD routing daemon
After=network.target

[Service]
Type=forking
ExecStart=/usr/bin/bird
ExecReload=/usr/bin/birdc configure
ExecStop=/usr/bin/birdc down

[Install]
WantedBy=multi-user.target

I did some tests and think the following unit file makes more sense (and it works for me):
[Unit]
Description=BIRD Internet Routing Daemon
Wants=network-online.target
After=network-online.target

[Service]
Type=simple
ExecStart=/usr/bin/bird -f -u bird -g bird
ExecReload=/usr/bin/birdc configure
ExecStop=/usr/bin/birdc down
Restart=on-failure

[Install]
WantedBy=multi-user.target

(the package needs to be updated to also create a bird user)
This task depends upon

Comment by Levente Polyak (anthraxx) - Tuesday, 17 December 2019, 16:58 GMT
I dont think the application needs a dedicated bird user that owns files on the filesystem, hence it may classify for a simple usage of DynamicUser
while on it, it would make sense to define hardening settings for the unit as well
Comment by Tim (bastelfreak) - Wednesday, 18 December 2019, 19:14 GMT
the application exposes a unix socket which is owned by the user, and only certain people/accounts, not everbody but also not nobody else, need to access it. Does that qualify for a dedicated user? In my environment the service runs as user bird, the socket is owned by bird:bird and my monitoring software runs as another user which got added to the bird group.
Comment by Sébastien Luttringer (seblu) - Friday, 21 February 2020, 21:44 GMT
Bird may push routes into the kernel tables, so it requires special capabilities if we want to run it as user.
Comment by Sébastien Luttringer (seblu) - Tuesday, 19 May 2020, 23:17 GMT
Instead of closing it, I've updated the bug report in a feature request to improve security around bird.

I guess we could use a dynamic user and harden the unit and grant it CAP_NET_ADMIN for network stuff.

Loading...