Project

General

Profile

Feature #4107

Start systemd services as non-root user

Added by osmith over 1 year ago. Updated 4 months ago.

Status:
New
Priority:
High
Assignee:
-
Target version:
-
Start date:
07/15/2019
Due date:
% Done:

0%

Spec Reference:

Description

laforge wrote in OS#3369:

Ideally, as far as possible, we should start them as non-root user
(which may require changes to our systemd service files, etc. in the
individual git repos - but that is fine!). Starting them as non-root
will also means that any writes to unintended directories like '/'will
be discovered as they then would make the program start fail.


Related issues

Related to Cellular Network Infrastructure - Bug #3369: no automatic testing of Debian/Ubuntu packagesResolved06/29/2018

Related to Cellular Network Infrastructure - Bug #4821: Update working dir in systemd unit files New10/20/2020

History

#1 Updated by osmith over 1 year ago

  • Related to Bug #3369: no automatic testing of Debian/Ubuntu packages added

#2 Updated by laforge about 1 year ago

  • Priority changed from Normal to Low

#3 Updated by laforge 4 months ago

Programs like osmo-msc, osmo-sgsn, osmo-cbc, osmo-smlc, osmo-hlr have no real time requirements or special needs in terms of raw networks sockets or tun devices. All of those should be executed as normal, non-privileged user from the start. This could be done via the systemd unit files. This could be done via the systemd unit files, or explicitly inside the osmocom programs via a privilege dropping approach.

the only processes that need special privileges are (AFAICT):
  • osmo-gbproxy requires CAP_NET_RAW if IPPROTO_GTP sockets are required for FR/GRE/IP
  • osmo-trx, osmo-bts, osmo-pcu requires CAP_SYS_NICE if SCHED_RR is to be used per command line argument (and is not done by e.g. systemd before starting it)
  • osmo-ggsn requires CAP_NET_ADMIN for setting up the gtp0/tun0 devices (unless this is done externally before starting it)
  • any program requires CAP_SYS_NICE if it uses the relatively new libosmocore/src/vty/cpu_sched_vty.c code to have user-configured scheduling
For those above, we basically have three possible strategies:
  • at least drop all privileges except those we really ever need in the specific proram (CAP_NET_RAW / CAP_NET_ADMIN / CAP_SYS_NICE). We can first constrain the permitted capabilities using cap_set_flag, then use prctl(PR_SET_KEEPCAPS, 1L) to keep capabilities while changing from root to non-root, and then change the user ID / group ID. https://stackoverflow.com/a/13186076 has a nice example
  • if it is sufficient to perform those privileged operations once on start-up, we could even drop those capabilities after perfoming the operations like creating netdev, binding socket, changing scheduler policy. This would mean that no subsequent changes can be made later on.

#4 Updated by laforge 4 months ago

  • Assignee deleted (osmith)
  • Priority changed from Low to High

#5 Updated by keith 3 months ago

  • Related to Bug #4821: Update working dir in systemd unit files added

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)