You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafficserver.apache.org by "Alan M. Carroll (JIRA)" <ji...@apache.org> on 2010/05/06 19:04:50 UTC

[jira] Commented: (TS-338) Use POSIX capabilities instead of user ID switching.

    [ https://issues.apache.org/jira/browse/TS-338?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12864836#action_12864836 ] 

Alan M. Carroll commented on TS-338:
------------------------------------

Implemented and ready for testing, except for an issue with the configuration files.

There is a flag in the Rollback class to indicate that root access is needed. AFAICT this is used only for the "net.config.xml" configuration file, which is only used under the OEM flag. I am not sure what privilege is needed for this, or why, which makes it difficult to map to the appropriate capability. I am not sure the OEM feature is even supported, in which case the flag should just be removed.

Currently I have just turned off the calls to restoreRootPriv / removeRootPriv. I am not sure of the security model desired -- is it OK to just keep the capability at all times, or should it be enabled only during the actual file operation?  The answer is obvious for generic super user state, but not so clear for just for this file operation privilege, especially since the process remains with a real user id of 0 and only changes the effective user id.

I need to look at whether this fix could enable running without ever being root. AFAICT that's only need for the ability to bind to service ports and possibly this file access.

> Use POSIX capabilities instead of user ID switching.
> ----------------------------------------------------
>
>                 Key: TS-338
>                 URL: https://issues.apache.org/jira/browse/TS-338
>             Project: Traffic Server
>          Issue Type: Improvement
>          Components: Security
>    Affects Versions: 2.0.0
>            Reporter: Alan M. Carroll
>            Priority: Minor
>
> Instead of switching the user id around (via seteuid() and the like), use POSIX capabilities to retain the appropriate privileges as a non-root user.
> This will have to be done as an optional feature because while modern Linux kernels are compliant, older kernels may not be and the compliance status of other operating systems (e.g. BSD) is unclear.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.