Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Force as much as possible processes to run as non privileged users #599

Open
psytester opened this issue Apr 10, 2019 · 1 comment
Open

Force as much as possible processes to run as non privileged users #599

psytester opened this issue Apr 10, 2019 · 1 comment
Labels
💡 enhancement-ideas New feature or change request 🔥 security relevant This is a security relevant issue/ticket
Milestone
future release

Comments

@psytester
Copy link
Contributor

The todays (O)CCU concept is a genuine offer to be "hacker friendly", because all processes are running in root user context.
Any "possible" vulnerability leads to fully unreserved exploitable access.

As you stated that RaspberryMatic is something like a eQ-3 pre-Beta / Proof Of Concept / input channel for official eQ-3 releases, please introduce a state of the art user and service daemon managment with non privileged users.
Starting with lighttpd to use the build in but not activated settings, because the CCU does not have such account:

/etc/lighttpd/lighttpd.conf:
# server.username  = "lighttpd"
# server.groupname = "lighttpd"

Or use the "www-data" account.

Next is the ReGaHss itself as non root!
The Java process for HMIPServer.jar, too
and last but not least the processes /bin/eq3configd , /bin/rfd and /bin/eq3-uds-services / ....

AND adjust the file system permissions according to its needs.
Today all directories and files are owned by root, readable by root user, by group "root" and by others

Limiting the (read) access to users and goups and change the ownership of sensitive spot files.
Why do I need to be able to read the homematic.regadom as any other process or user?

# ls -l /usr/local/etc/config/homematic.regadom
-rw-r--r--    1 root     root        401376 Apr 10 18:38 /usr/local/etc/config/homematic.regadom

# ps -afe
PID   USER     TIME  COMMAND
    1 root      0:00 init
   92 root      2:21 /bin/hss_led -l 6
  125 dbus      0:00 dbus-daemon --system
  155 root      0:00 /sbin/syslogd -n -m 0
  158 root      0:00 /sbin/klogd -n
  180 root      0:00 /sbin/udhcpc -b -t 100 -T 3 -S -x hostname:ccu3-webui -i eth0 -F ccu3-webui -V eQ3-CCU3 -s /bin/dhcp.script -p /var/run/udhcpc_eth0.pid
  319 root      0:32 /usr/sbin/ifplugd -i eth0 -fI -u0 -d10
  330 root      1:00 /usr/sbin/ntpd -g 0.de.pool.ntp.org 1.de.pool.ntp.org 2.de.pool.ntp.org 3.de.pool.ntp.org
  352 root      0:00 /bin/eq3configd
  366 root      0:07 /bin/ssdpd
  372 root      0:00 /usr/sbin/sshd
  423 root      0:44 /bin/multimacd -f /etc/multimacd.conf -l 5
  449 root      0:21 /bin/rfd -f /etc/config/rfd.conf -l 5
  464 root     20:07 java -Xmx128m -Dos.arch=arm -Dlog4j.configuration=file:///etc/config/log4j.xml -Dfile.encoding=ISO-8859-1 -Dgnu.io.rxtx.SerialPorts=/dev/mmd_hmip -jar /opt/HMServer/HMIPServe
  583 root      0:00 /bin/eq3-uds-services
  589 root      1:10 /bin/ReGaHss.community -f /etc/rega.conf -l 2
  659 root      0:01 /usr/sbin/crond -f -l 9
 4930 root      0:00 /usr/sbin/lighttpd-angel -f /etc/lighttpd/lighttpd.conf -D
 4931 root      0:00 /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf -D
 4932 root      0:07 /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf -D
 4933 root      0:07 /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf -D
 4934 root      0:08 /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf -D
 4935 root      0:08 /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf -D
 6697 root      0:00 sshd: root@pts/0
 6699 root      0:00 -sh
 6723 root      0:00 ps -afe

# cat /etc/passwd
root:.......
daemon:.......
bin:.......
sys:.......
sync:.......
mail:.......
www-data:.......
operator:.......
nobody:.......
avahi:.......
dbus:.......
sshd:.......
@jens-maus
Copy link
Owner

This is actually already planned. So no need to convince me in any way. :)

However, please be prepared that some selected services will still need root access due to requirements to provide global executable rights. But as said, some changes are already planned in that areas. Just be prepared that this might take some time.

@jens-maus jens-maus added 💡 enhancement-ideas New feature or change request 🔥 security relevant This is a security relevant issue/ticket labels Apr 10, 2019
@jens-maus jens-maus added this to the future release milestone Apr 10, 2019
jens-maus added a commit that referenced this issue Sep 24, 2023
@jens-maus
added buildroot upstream patch to introduce a dedicated snmp user and
4fdd5f8 
group and also reworked S59snmpd to start the netsnmp daemon with
dropped priviledges (This refs #599).
jens-maus added a commit that referenced this issue Sep 24, 2023
@jens-maus
added dedicated user account for ssdpd daemon so that priviledges can be
d58190b 
dropped (this refs #599).
jens-maus added a commit that referenced this issue Sep 25, 2023
@jens-maus
integrated modifications so that hss_led can be run in non-priviledged
ef8ebf3 
mode under a dedicated hssled user context rather than root. This
required not only introduction of a user and group but also incorporates
a udev rule which will make sure the /sys/class/leds nodes have the
right permissions. Furthermore, hss_led also needs to create
/var/status/hasInternet and thus we had to modify global umask and
directory permissions for that part as well (this refs #599).
jens-maus added a commit that referenced this issue Sep 25, 2023
@jens-maus
added modifications to run eq3configd under a dedicated user and group
c3e9ee6 
(this refs #599).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
💡 enhancement-ideas New feature or change request 🔥 security relevant This is a security relevant issue/ticket
Projects
None yet
Milestone
future release
Development

No branches or pull requests
2 participants
@jens-maus @psytester