[1/1] package/bird: add a unprivileged user

Message ID 20190205105630.17008-1-adrien@gallouet.fr
State New
Headers show
Series
  • [1/1] package/bird: add a unprivileged user
Related show

Commit Message

Adrien Gallouët Feb. 5, 2019, 10:56 a.m.
This commit add a specific unprivileged user for BIRD
to avoid full root privileges while running.

Signed-off-by: Adrien Gallouët <adrien@gallouet.fr>
---
 package/bird/bird.mk | 8 ++++++++
 1 file changed, 8 insertions(+)

Comments

Thomas Petazzoni March 17, 2019, 4:49 p.m. | #1
Hello Adrien,

On Tue,  5 Feb 2019 10:56:31 +0000
Adrien Gallouët <adrien@gallouet.fr> wrote:

> This commit add a specific unprivileged user for BIRD
> to avoid full root privileges while running.
> 
> Signed-off-by: Adrien Gallouët <adrien@gallouet.fr>

Could you give a few more details on how/where this new user gets
used ? Your patch only creates it, but it doesn't tweak any init script
or configuration file that would tell the daemon to be started using
this unprivileged user.

Could you provide a bit more details ?

Thanks!

Thomas
Adrien Gallouët March 17, 2019, 7:56 p.m. | #2
On Sun, Mar 17, 2019 at 5:49 PM Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> Hello Adrien,
>
> On Tue,  5 Feb 2019 10:56:31 +0000
> Adrien Gallouët <adrien@gallouet.fr> wrote:
>
> > This commit add a specific unprivileged user for BIRD
> > to avoid full root privileges while running.
> >
> > Signed-off-by: Adrien Gallouët <adrien@gallouet.fr>
>
> Could you give a few more details on how/where this new user gets
> used ? Your patch only creates it, but it doesn't tweak any init script
> or configuration file that would tell the daemon to be started using
> this unprivileged user.
>
> Could you provide a bit more details ?
>
> Thanks!
>
> Thomas
> --
> Thomas Petazzoni, CTO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com

Hi Thomas,

I use BIRD with s6 on production and I didn't take the time
to write a correct start-stop-daemon script for it yet. In all cases,
BIRD only needs root privileges at startup and he can switch
to a less privileged one when started with -u USER -g GROUP.

If your prefer to wait, I'll resubmit a patch with the start-stop-daemon
script later.

Best regards.
Thomas Petazzoni March 18, 2019, 10:05 a.m. | #3
Hello Adrien,

Thanks for the feedback.

On Sun, 17 Mar 2019 20:56:16 +0100

> I use BIRD with s6 on production and I didn't take the time
> to write a correct start-stop-daemon script for it yet. In all cases,
> BIRD only needs root privileges at startup and he can switch
> to a less privileged one when started with -u USER -g GROUP.
> 
> If your prefer to wait, I'll resubmit a patch with the start-stop-daemon
> script later.

Yes, indeed, I think it makes more sense to have the new user created
together with an init script that actually uses it.

Thanks!

Thomas

Patch

diff --git a/package/bird/bird.mk b/package/bird/bird.mk
index da2f868070..8091644108 100644
--- a/package/bird/bird.mk
+++ b/package/bird/bird.mk
@@ -17,4 +17,12 @@  else
 BIRD_CONF_OPTS += --disable-client
 endif
 
+define BIRD_USERS
+	bird -1 bird -1 * - - - BIRD unprivileged user
+endef
+
+define BIRD_PERMISSIONS
+	/etc/bird.conf r 600 bird bird - - - - -
+endef
+
 $(eval $(autotools-package))