FS#71043 - [zerotier-one] Add zerotier-one user using systemd-sysusers so that the daemon can drop root privs

Attached to Project: Community Packages
Opened by Yves Perrenoud (pyves) - Friday, 28 May 2021, 08:39 GMT
Last edited by Christian Hesse (eworm) - Thursday, 20 April 2023, 10:35 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Christian Hesse (eworm)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 3
Private No


If zerotier-one finds a user named "zerotier-one", it will drop root privileges as soon as it can and run as that user, which is obviously far more desirable than running as root.

The upstream ZeroTier RPM spec file creates the user by default, and so does the Debian deb package. This is clearly the intent of the ZT developers and the Arch package should follow the same convention.

As the current package doesn't create the user, the daemon runs as root. Since this is a network daemon that needs to be open to the whole Internet for maximum peer to peer routing effectiveness, and is written in C, C++ and Assembly, hence highly likely to be vulnerable to a buffer overflow or similar issue at some point in the future (there could be an actively exploited zero day right now for all we know), the daemon is currently a dangerous infection vector for any system running it.

The simple solution is to modify the package to use systemd-sysusers to create the required "zerotier-one" user, and I'm attaching a patch that does just that.
This task depends upon

Closed by  Christian Hesse (eworm)
Thursday, 20 April 2023, 10:35 GMT
Reason for closing:  Implemented
Additional comments about closing:  zerotier-one 1.10.6-2