Community Packages

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#71043 - [zerotier-one] Add zerotier-one user using systemd-sysusers so that the daemon can drop root privs

Attached to Project: Community Packages
Opened by Yves Perrenoud (pyves) - Friday, 28 May 2021, 08:39 GMT
Last edited by Andreas Radke (AndyRTR) - Saturday, 29 May 2021, 19:38 GMT
Task Type Bug Report
Category Security
Status Assigned
Assigned To Felix Yan (felixonmars)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 3
Private No

Details

If zerotier-one finds a user named "zerotier-one", it will drop root privileges as soon as it can and run as that user, which is obviously far more desirable than running as root.

The upstream ZeroTier RPM spec file creates the user by default, and so does the Debian deb package. This is clearly the intent of the ZT developers and the Arch package should follow the same convention.

As the current package doesn't create the user, the daemon runs as root. Since this is a network daemon that needs to be open to the whole Internet for maximum peer to peer routing effectiveness, and is written in C, C++ and Assembly, hence highly likely to be vulnerable to a buffer overflow or similar issue at some point in the future (there could be an actively exploited zero day right now for all we know), the daemon is currently a dangerous infection vector for any system running it.

The simple solution is to modify the package to use systemd-sysusers to create the required "zerotier-one" user, and I'm attaching a patch that does just that.
   zerotier-one_arch_create_user... (0.6 KiB)
This task depends upon

Loading...