On Wed, 18 May 2016, John Crispin wrote:
On 18/05/2016 08:09, Daniel Curran-Dickinson wrote:
On 16-05-18 01:05 AM, John Crispin wrote:
Hi,
we had previously started building the infra for running stuff as !root.
so far we have added
* the userid/gid stuff
* acl on ubus
things that i know are missing
* handling network ports < 1024
what am i missing ? can anyone think of other issues we need to address
before we change uid to !root ?
Er, do you mean uid of procd or ubus or everything? I'm not sure we're
clear on which uid you mean?
ok, my mail that sounded totally obvious to me apparently was hard to
understand.
right now we run $everything as root which is obviously rather daring so
we need to change it to what normal distros do and run stuff as their
own users wherever it makes sense and give those users only the
permissions required.
Ok, that makes a lot of sense. The good news here is that we don't have to start
off with doing fancy stuff like passing sockets around, playing with
capabilities to bind to low ports, SELinux/AppArmor, etc. We can start off by
just copying the sysV init configs that have existed for other distros.
Most of the work is actually going to be in undoing OpenWRT specific configs
that run everything as root and fall more in line with what the other distros
are doing.
The first question I would have is if we are going to the system users in an
essentially random order (as needed so two systems with the same packages
installed in a different order have different user->uid mapping) or if we are
going to define service accounts distro wide so they are always going to be the
same.
David Lang
_______________________________________________
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev
