Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KiwiIRC runs as root #3

Open
ccoenen opened this issue Oct 24, 2017 · 7 comments
Open

KiwiIRC runs as root #3

ccoenen opened this issue Oct 24, 2017 · 7 comments

Comments

@ccoenen
Copy link

ccoenen commented Oct 24, 2017

I don't believe it is a good idea to have this thing run as root user, it is defined here:

kiwiirc_packager/scripts/init/webircgateway

Line 14 in 9918b5b

user="root"

but never actually used anywhere. It would probably need to be referenced here:

kiwiirc_packager/scripts/init/webircgateway

Line 45 in 9918b5b

$cmd 1>> "$std_log" 2>&1 &

Other choices would be: www-data or httpd which are usually available on systems with http servers like apache or nginx; irc which is usually present on servers that run an ircd.
@ccoenen
Copy link
Author

ccoenen commented Oct 24, 2017

I changed the line to be
sudo -u $user $cmd 1>> "$std_log" 2>&1 &

but I have no idea if this is portable to different distributions.

@ccoenen
Copy link
Author

ccoenen commented Oct 24, 2017

(it should also be noted that you need to have root access to create ports < 1000, I am using this with "regular" webserver in front of it)

@prawnsalad
Copy link
Member

you need to have root access to create ports < 1000

*1024

A lot of people do have this running on port 80/443 by default which either root is needed or some distros support setcap to allow non-root users to listen on ports < 1024. Also to remember that not all distros have sudo installed.

I'm not entirely sure what the best way of handling all these cases are short of creating a package for each and every distro out there.

@ccoenen
Copy link
Author

ccoenen commented Oct 26, 2017
edited
Loading

there appear to be only shitty options to solve this.

  • proxy to high port number is not trivial to set up
  • iptables rerouting to high port number is not trivial to set up
  • authbind appears to be debian/ubuntu only
  • setcap CAP_NET_BIND_SERVICE would apparently allow any node process to open ports (not just the specific kiwiirc process) (apparently considered harmful, see next post, thanks for speaking up :-) )

Feel free to close this, but I still think this should be documented somewhere.

@mestaritonttu
Copy link

Systemd has a solution for the port binding, see for example here: https://github.com/mholt/caddy/blob/master/dist/init/linux-systemd/caddy.service#L43

Using setcap is considered harmful.

@prawnsalad
Copy link
Member

@mestaritonttu any more info on why setcap is harmful?

@mestaritonttu
Copy link

Only this, like we discussed on IRC: caddyserver/caddy#528 (comment)

@ThiefMaster ThiefMaster mentioned this issue Feb 8, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ccoenen @prawnsalad @mestaritonttu