FS#72320 - [bird] 2.0.8-3 specifies User=bird in systemd service, but does not create user

Attached to Project: Arch Linux
Opened by Peter Fern (pdf) - Friday, 01 October 2021, 23:36 GMT
Last edited by Andreas Radke (AndyRTR) - Sunday, 10 October 2021, 18:41 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To No-one
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
The bird package (correctly) specifies a lower privilege user to run as in its systemd service, and applies all caps required to operate, however the package does not create the corresponding user on install.

Additional info:
$ systemctl cat bird.service
# /usr/lib/systemd/system/bird.service
[Unit]
Description=BIRD routing daemon
After=network.target

[Service]
Type=forking
ExecStart=/usr/bin/bird
ExecReload=/usr/bin/birdc configure
ExecStop=/usr/bin/birdc down
RuntimeDirectory=bird
RuntimeDirectoryMode=0750
DynamicUser=true
User=bird
ProtectSystem=strict
ProtectHome=true
ProtectKernelTunables=true
ProtectControlGroups=true
PrivateTmp=true
PrivateDevices=true
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW

[Install]
WantedBy=multi-user.target

$ getent passwd bird
$ echo $?
2
This task depends upon

Closed by  Andreas Radke (AndyRTR)
Sunday, 10 October 2021, 18:41 GMT
Reason for closing:  Duplicate
Additional comments about closing:   FS#71902 
Comment by loqs (loqs) - Saturday, 02 October 2021, 08:04 GMT Comment by Peter Fern (pdf) - Saturday, 02 October 2021, 08:08 GMT
I see... with that model, is there any way to secure the config file against world reads?
Comment by AK (Andreaskem) - Saturday, 02 October 2021, 09:05 GMT
From the documentation: "If a statically allocated user or group of the configured name already exists, it is used and no dynamic user/group is allocated."
So if you want to have the config file only readable by bird, you could just create the user yourself, I guess.

Maybe there is an alternative (possibly using BindPaths and/or ConfigurationDirectory?), though.

Loading...