FS#71043 - [zerotier-one] Add zerotier-one user using systemd-sysusers so that the daemon can drop root privs
Attached to Project:
Community Packages
Opened by Yves Perrenoud (pyves) - Friday, 28 May 2021, 08:39 GMT
Last edited by Christian Hesse (eworm) - Thursday, 20 April 2023, 10:35 GMT
Opened by Yves Perrenoud (pyves) - Friday, 28 May 2021, 08:39 GMT
Last edited by Christian Hesse (eworm) - Thursday, 20 April 2023, 10:35 GMT
|
Details
If zerotier-one finds a user named "zerotier-one", it will
drop root privileges as soon as it can and run as that user,
which is obviously far more desirable than running as
root.
The upstream ZeroTier RPM spec file creates the user by default, and so does the Debian deb package. This is clearly the intent of the ZT developers and the Arch package should follow the same convention. As the current package doesn't create the user, the daemon runs as root. Since this is a network daemon that needs to be open to the whole Internet for maximum peer to peer routing effectiveness, and is written in C, C++ and Assembly, hence highly likely to be vulnerable to a buffer overflow or similar issue at some point in the future (there could be an actively exploited zero day right now for all we know), the daemon is currently a dangerous infection vector for any system running it. The simple solution is to modify the package to use systemd-sysusers to create the required "zerotier-one" user, and I'm attaching a patch that does just that. |
This task depends upon
Closed by Christian Hesse (eworm)
Thursday, 20 April 2023, 10:35 GMT
Reason for closing: Implemented
Additional comments about closing: zerotier-one 1.10.6-2
Thursday, 20 April 2023, 10:35 GMT
Reason for closing: Implemented
Additional comments about closing: zerotier-one 1.10.6-2