Package: sshguard Severity: normal X-Debbugs-Cc: deb...@rocketjump.eu Hi,
a default install of sshguard runs as root by default, which has certain security implications we should avoid. Most action don't require root: logreading: Reading relevant files in /var/log/ or running journalctl requires only an unprivileged user in the adm group. logparsing: requires no permissions at all. sshg-blocker: requires no permissions at all. calling the firewall backend: iptables/nftables will require root, but firewalld can for example be called via dbus. Consider selectively dropping privs along the pipeline and packaging it as such by default. Greets, Lee -- System Information: Debian Release: trixie/sid APT prefers testing APT policy: (990, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 6.12.12-amd64 (SMP w/8 CPU threads; PREEMPT) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages sshguard depends on: ii init-system-helpers 1.68 ii libc6 2.40-6 ii sysvinit-utils [lsb-base] 3.14-1 Versions of packages sshguard recommends: ii nftables 1.1.1-1 sshguard suggests no packages.
