On 3/15/11 7:32 AM, no-re...@cfengine.com wrote: > Forum: Cfengine Help > Subject: Re: Cfengine Help: Re: Running cf-serverd as non-root > Author: berntjernberg > Link to topic: https://cfengine.com/forum/read.php?3,21152,21155#msg-21155 > > Hi, > >> So it depends on your policy I guess, but you should expect to spend >> more time if you decide to run cf-serverd as non-root. > > I really think that you should spend this time in development instead so both > paying customers and > community members could benefit from a software that delivers a secure > solution all the way. If you > take security seriously you don't run processes as root if they not have to. > This may sound harsh but > I usually discard software vendors that have this design as people not > knowing what they're doing > but this is obviously not true in your case. I really like Cfengine and I > think it's a great product but I think > this "cf-serverd issue" could be designed differently.
I wanted to reply, because to some extent this is true... Having made large purchase decisions from time to time, software running as root has always been a negative vs. positive. Many times, with larger vendors, this was even a reason to move to a competitor (since the thinking was they were so "big" and had enough money they should be able to do it right). Similarly, we have internal software design requirements which prevent any of our own projects from even being allowed to make such a decision. So... I can obviously understand the original concern. Having said that, let's consider least privilege for a minute. If your cfengine hosts are locked down in accordance with best practices, they will not be hosting other services (and likely in a DMZ). If someone compromises cfservd, they will be able to push out rogue policy files -- regardless of cfservd's user. If it is "root" or "cfengine" won't matter much if clients can still be controlled. The cfengine user is effectively root on a cfservd host, much like "nobody" became root back in the day when everyone thought "just moving to non-root is secure" -- not necessarily, you need real privilege separation. So... if there was an easy config setting to control this (like Apache or postfix or most OSS), I would certainly jump with joy. That said, mitigation is easy and well understood. _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
