Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Figure out if it's possible to run chrooted or unpriviledged #4

Open
jfgrissom opened this issue Jun 22, 2018 · 4 comments
Open

Figure out if it's possible to run chrooted or unpriviledged #4

jfgrissom opened this issue Jun 22, 2018 · 4 comments

Comments

@jfgrissom
Copy link

Saw this over at reddit and thought it was worth nailing down.

https://www.reddit.com/r/codius/comments/8t2h17/simple_script_to_install_codius/
@N3TC4T
Copy link
Owner

N3TC4T commented Jun 22, 2018

Thanks man , I havn't test it againts an non root user but I think at least users should have ability to run commands as root ( sudo) to the services and install required packages

also the current user should be replace with root in moneyd, codius services

https://github.com/xrp-community/codius-install/blob/master/codius-install.sh#L437

https://github.com/xrp-community/codius-install/blob/master/codius-install.sh#L481

@jfgrissom
Copy link
Author

jfgrissom commented Jun 25, 2018
edited
Loading

I'm thinking it makes sense to create a user for the service.

Also, I'm not dictating here. I'm just throwing out what I think could be useful. Anyone is free to shoot this full of holes.

I believe the same way nginx often runs as nginx or apache runs as apache. The services could run like this.

This is a bit verbose but to be very specific I'll lay it out like this:

hyperd should run as hyperd with a group called codius.
nginx should run as nginx (or www) with a group called codius.
codiusd should runs as codiusd with a group called codius.
moneyd-xrp should run as moneyd with a group called codius.

All of these users should be unprivileged (no sudoer/root privs - maybe even chrooted with systemd-nspawn or something) anything that needs to interoperate between the services could use the group access (currently I think they only communicate through listening ports so I doubt this will be needed).

@sharafian
Copy link

We should definitely use whatever requires the least privileges, but it's worth noting that codiusd needs access to add network devices and I believe hyperd also needs root access for certain tasks. The safest thing is to have a machine completely dedicated to codius so that if someone breaks into the machine they wouldn't disrupt anything except the codius host

@jfgrissom
Copy link
Author

@sharafian - I think the primary issue was related to the individual services all being run as root.

I am imagining it will just take some iterating and policy configurations to lock these down.

@N3TC4T - I'm willing to help out with this effort when I've gotten my own Codius project nailed down. (I think, in a few weeks I could contribute some time to this).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jfgrissom @sharafian @N3TC4T