New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement/assign unique user for each software installation title that requires it #1877
Comments
@userdeveloper98 The work should not be too much to directly apply this to more/all affected software titles. The higher effort will be to test those software titles, their internal e.g. update functions etc. Best is to check their official installation instructions and see if anyway an own user is recommended or there is some clear reason for using root.
A bid off-topic, but as we already have this users topic:
|
Totally agree.
Yes that was the idea. locally I made it as
Sure, but with gogs I didn't managed to get rid of this even after extensive playing with gogs configurations :(
I would agree to leave everything being installed as Using non-root users is a good practice if an account is compromised or misused, the affect will be isolated. One of major concerns that I have related to application running as root user is that if application can be exploited via some security vulnerabilities it potentially can get control to user under it is running.
Strong passwords will not secure you from buffer overflows in applications and remote code execution because it will bypass the authentication and may get direct access to user under it is running. Also taking into consideration that we are installing software that are maintained sometimes by single person, it may be that they will don't care or don't have time to fix security issues, or security flaws will be misused for a long time before public announcements. There are lot of others reasons, hope that's enough. BTW. |
+DietPi-Software | Gogs: Now runs under its own user. For new installations only: https://github.com/Fourdee/DietPi/issues/1877
Agree 👍 Commit for gogs to change to its own user, also cleaned up the service: Fourdee@e915354
Some good points, although personally, I believe we shouldn't have to live in a world where we don't grant any trust in the program. |
+ Requires home dir: https://github.com/Fourdee/DietPi/issues/1877#issuecomment-400680146
@Fourdee @userdeveloper98
|
**v6.10** (03/07/18) **Changes / Improvements / Optimizations:** General | ASUS TB: GLES GPU and VPU support now enabled, once Xserver is installed. General | 'firmware-iwlwifi': Is now a pre-req to WiFi enable. Adds support for Intel based WiFi chips by default: https://github.com/Fourdee/DietPi/issues/1855 General | "net-tools" commands (ifconfig, netstat, route, ...) were replaced by modern "ip" commands (ip a, ip r, ...) within DietPi scripts and the package therefore removed from DietPi core packages: https://github.com/Fourdee/DietPi/issues/1666 General | Removed unused "/DietPi/config.txt" from non-RPi devices: https://github.com/Fourdee/DietPi/pull/1863 General | CurlFTPFS: Removed from DietPi scripts and is no longer supported. Due to lack of security, and, single digit install count (survey). General | Timesync: DietPi will now only check for a sucessful sync once per system boot, and, again hourly/daily if set. This is to prevent excess delay of systemd-timesyncd service, once the time has already been synced. General | Sparky SBC: Designs patch added for DSD on MPD-5 dac , new Ids added Mytek Manhatten , LH labs 1V5 2V0 ,HD-AVP/AVA IDA-8: https://github.com/sparky-sbc/sparky-test/tree/master/dsd-marantz DietPi-Backup | Rewritten. Userdata option removed, included by default backup. Added options to edit include/exclude filters in the GUI. Existing backups (v6.9 or less) are no longer supported: https://github.com/Fourdee/DietPi/issues/1851 DietPi-Config | Soundcards (RPi): Allo Katana, now available for selection. https://github.com/Fourdee/DietPi/issues/1849 DietPi-Config | IntelGPU Driver: Installation code added: https://github.com/Fourdee/DietPi/issues/1855#issue-333150262 DietPi-Config | Networking: You can now view the sent and recieved totals for both network devices. NB: 32bit devices will reset the values after 32bit int limit is reached (roughly 4.3GB~), this is a kernel/arch limitation: https://github.com/Fourdee/DietPi/issues/1666#issuecomment-401546728 DietPi-Drive_Manager | Rewrite and improvements: - Now supports ROM devices (eg: DVD). NB: compatibility for DVD/CD devices relies on kernel support. Not all devices will support DVD/CD devices, and/or their filesystem format: https://github.com/Fourdee/DietPi/issues/1858 - Resize ext4 options added: https://github.com/Fourdee/DietPi/issues/1821 - Support for detecting and formatting non-partitioned drives - You can now benchmark read/write for all available mounted drives: https://github.com/Fourdee/DietPi/issues/1858 - Now supports mounting, viewing, removal of network drives on system (nfs4, cifs). This replaces the previous options in 'dietpi-config': https://github.com/Fourdee/DietPi/issues/1858 - Moving of DietPi user data to filesystems that do not support permission (FAT), is no longer supported and disabled: https://github.com/Fourdee/DietPi/issues/1846 DietPi-Globals | G_BACKUP: Added to globals. This will be gradually rolled out in DietPi scripts, allowing the user to create a system backup, prior to significant system changes: https://github.com/Fourdee/DietPi/issues/1871#issuecomment-400443401 DietPi-Globals | G_CHECK_USERDATA: Added to DietPi scripts: https://github.com/Fourdee/DietPi/issues/1850#issuecomment-401407996 DietPi-Services | Rsync: Added to service control. This will prevent errors if rsync is running in daemon mode, when 'dietpi-backup' is run: https://github.com/Fourdee/DietPi/issues/1869#issuecomment-399890771 DietPi-Software | Ubooquity: Now available for installation: https://dietpi.com/phpbb/viewtopic.php?f=8&t=5&p=12969#p12969 (https://github.com/Fourdee/DietPi/issues/1845#issuecomment-397447909) DietPi-Software | Roon Extension Manager: Now available for installation. Many thanks to @JanKoudijs for contributing this great addition!: https://github.com/Fourdee/DietPi/pull/1865 DietPi-Software | Mosquitto: Now uses Debian APT installation: https://github.com/Fourdee/DietPi/issues/1868#issuecomment-399982278 DietPi-Software | Gogs: Now runs under its own user. For new installations only: https://github.com/Fourdee/DietPi/issues/1877 DietPi-Software | Xserver: 'mesa-utils-extra' now also installed by default, useful for GLES testing 'es2_info es2gears' etc. DietPi-Software | Moode: Removed from our software lineup: https://github.com/Fourdee/DietPi/issues/1223#issuecomment-401549371 DietPi-Software | Radarr, Sonarr and Jackett: Services optimized and no longer run in debugging mode. Should improve runtime performance. Many thanks to @userdeveloper98 for this contribution! https://github.com/Fourdee/DietPi/pull/1889 DietPi-Survey | Simplified available options. You can now either Opt In, or, Opt Out and automatically have any existing data cleared. Interactive installations will be prompted to Opt In or Out during 1st run. Automated installations are Opted In by default, you can change this once setup is completed. More information on DietPi-Survey and how to change the options: https://dietpi.com/phpbb/viewtopic.php?f=8&t=20 https://github.com/Fourdee/DietPi/issues/1827#issuecomment-396005575 PREP | 'os-prober' installed by default for x86_64 devices. Ensures dual boot OSs are detected by grub. Also added a 3 second timeout to grub boot prompt, allowing OS selection: https://github.com/Fourdee/DietPi/issues/1855 **Bug Fixes:** ASUS TB | Resolved square (broken) X11 fonts. Raspberry Pi | Removed "initial_turbo" setting from DietPi-Config and config.txt, as it prevents CPU governor from throttling down: https://github.com/Fourdee/DietPi/issues/1836 DietPi-Drive_Manager | Resolved incorrect detection of available drives: https://github.com/Fourdee/DietPi/issues/1858 DietPi-Software | GMrender: Resolved an issue where two systems on the same network would nullify the other. Hostname is now used for the server name, UUID used is applied via DietPi generated UUID during 1st run: https://dietpi.com/phpbb/viewtopic.php?f=11&t=3900&p=12985#p12985 DietPi-Software | Apache2: Fixed a syntax error that leads to Apache logging to "/error.log" instead of "/var/log/apache2/error.log" DietPi-Software | Nukkit: Fixed the broken download link on installation. Many thanks to @symbios24 for reporting bug and providing solution: https://github.com/Fourdee/DietPi/issues/1875 DietPi-Software | Linux software: Resolved an issue with NULL entry being displayed: https://github.com/Fourdee/DietPi/pull/1830#issuecomment-401612168 DietPi-Config | Fixen an issue, where IPv6 could not be disabled on RPi. On current kernel version it is no dedicated kernel module any more and needs to be toggled via "/boot/cmdline.txt". **AlloGUI v9:** - Changing the root password, no longer breaks web interface: https://github.com/Fourdee/DietPi/issues/1841 - Resolved issues with terminal leakage in the web interface: https://github.com/Fourdee/DietPi/issues/1841 - System settings: Current version is always shown, even if an update is available. - System settings: Allo Katana, now available for selection. https://github.com/Fourdee/DietPi/issues/1849
Software titles that currently use
|
+ Apply dietpi users for testing: https://github.com/Fourdee/DietPi/issues/1877#issuecomment-403298679
@Fourdee Alternative:
|
Yep, lets try it 👍 |
MPD/YMPD: Fourdee@89164b0 |
+ Mopidy as its own user: https://github.com/Fourdee/DietPi/issues/1877#issuecomment-403298679
qBitTorrent requires a local user account with login creds, as it uses:
Group require in service for file saves: |
Son/rad arr, require home user dir?
https://github.com/Sonarr/Sonarr/wiki/Command-Line-Options 🈯️ Fixed by setting |
We can use the same trick as I did for gogs and Jackett https://github.com/Fourdee/DietPi/pull/1895 in Service file write: You will need to replace |
Sonarr/Radarr/Sickrage patch enable: Mmm, where is the config saved, pre-
🈯️
pre-
|
🈯️ We need to purge mono from
|
+DietPi-Software | Mono: Temp mono files are now cleared from memory once installed, preventing out of memory errors for additional software installs afterwards: https://github.com/Fourdee/DietPi/issues/1877#issuecomment-403856446 + Sickrage userdata move patch: https://github.com/Fourdee/DietPi/issues/1877#issuecomment-403856337
Hmm:
3=straight after 🈯️
🈴 Works, but roughly twice the performance hit during script exec
|
+DietPi-Update | Resolved an issue where incorrect version would be displayed, once update was completed. This is due to '| tee' on a function, making var changes local: https://github.com/Fourdee/DietPi/issues/1877#issuecomment-403866204 + Sonarr/sickrage/radarr patches: https://github.com/Fourdee/DietPi/issues/1877#issuecomment-403856337
rtorrent requires access to:
|
Great work keeping the DietPi ship running while I was away 👍 🥇 Really appreciate it. My new glasses are on, -10.25 and -9.75 lol. I'll try and get this wrapped today. Once done, all items need install testing again just in-case. |
+ Roon server requires root: https://github.com/Fourdee/DietPi/issues/1877
+DietPi-Software | Various titles: Now run under their own system user account, with limited permissions (previously root): https://github.com/Fourdee/DietPi/issues/1877#issuecomment-403298679 + Fix for G_THREAD_WAIT no file exists, when in disk buffer.
Ok done. 🈯️ Reinstalls of all items + patch testing passed I'am not going to touch Docker, do not have enough experience with it, or even use it. |
@Fourdee |
**v6.12** (19/07/18) **Changes / Improvements / Optimizations:** DietPi-Drive_Manager | Samba/CIFS mounting: Now automatically uses the highest available CIFS version supported on client and server: https://github.com/Fourdee/DietPi/issues/1893#issuecomment-403034799 DietPi-Software | Jackett: Now runs as its own user, and, from the /opt/jackett directory, for new installations only. Many thanks to @userdeveloper98 for contributing this improvement: https://github.com/Fourdee/DietPi/pull/1895 DietPi-Software | MiniDLNA: Now uses a SystemD service, also updates its library during service start. DietPi-Software | JRiver: Removed and no longer available for installation: https://github.com/Fourdee/DietPi/issues/1080#issuecomment-403489246 DietPi-Software | Various titles: Now run under their own system user account, with limited permissions (previously root): https://github.com/Fourdee/DietPi/issues/1877#issuecomment-403298679 DietPi-Software | SABnzbd: Language packs are now installed by default: https://github.com/Fourdee/DietPi/issues/1917#issue-340631943 DietPi-RAMlog | Increased the max size of /var/log to 50MB by default (previously 20MB). This should prevent 0 free space errors for excessive log file usage. Pi-Hole max logfile size is now 50MB/3 (16MB~) for high usage with daily stats support: pi-hole/pi-hole#2270 (comment) | https://github.com/Fourdee/DietPi/issues/1923 DietPi-RAMlog | Service is now disabled when RAMlog mode is not selected: https://github.com/Fourdee/DietPi/issues/1924 **Bug Fixes:** General | Resolved an issue where cron jobs, containing DietPi scripts, failed: https://github.com/Fourdee/DietPi/issues/1923 General | Resolved an issue on ARM64 + Jessie with APT, due to debian-security removing suppport and packages for those devices. If you experience this issue, and are unable to update DietPi, please see : https://github.com/Fourdee/DietPi/issues/1915 General | Resolved an issue where NFSv3 network drives could not be mounted: https://github.com/Fourdee/DietPi/issues/1898 DietPi-Config | ASUS TB: Resolved loss of WiFi device after a reboot: https://github.com/Fourdee/DietPi/issues/1760 DietPi-Drive_Manager | Resolved an issue where the program could remove a non-empty directory in rare situations. DietPi-Software | Resolved a potential Mono instability issue with Radarr, Sonarr and Jackett, due to using '--optimize=all --server'. This has now been removed for new installations. Many thanks to @hellfirehd for debugging/testing and @Taloth for dev insights: https://github.com/Fourdee/DietPi/issues/1896 DietPi-Software | Mono: Temp mono files are now cleared from memory once installed, preventing out of memory errors for additional software installs afterwards: https://github.com/Fourdee/DietPi/issues/1877#issuecomment-403856446 DietPi-Software | Xserver: Resolved rarely occuring uninstall issus by not purging dependencies, but leaving them for autoremove: https://github.com/Fourdee/DietPi/issues/1921 DietPi-Software | MineOS: Resolved failed installation due to incompatibilities with nodejs v10. v8 is now installed: https://github.com/Fourdee/DietPi/issues/1880 DietPi-Update | Resolved an issue where incorrect version would be displayed, once update was completed. This is due to '| tee' on a function, making var changes local: https://github.com/Fourdee/DietPi/issues/1877#issuecomment-403866204
Creating a bug report/issue:
Hi there !
I have noticed that most of the apps installed by dietpi scripts are ruining as root user which is not recommended of sure.
I am happy to support migration of all applications to run under non-root user.
I did it already for almost all my software pack but it will be nice if we have this out of the box because most of the users may not be aware of this.
I will start with Gogs as it was the easiest to migrate application.
Required Information:
Additional Information (if applicable):
Yes
Yes
Steps to reproduce:
Expected behaviour:
Gogs should run under non root user.
ex: gogs user.
Actual behaviour:
Security issue.
Gogs run under root user.
Exploiting Gogs vulnerability allow full root access to server.
Extra details:
This is the simplest app to migrate I would like to be added as reviewer to PR. (this will facilitate learning the source code :) )
After this I believe I will be able to create my own PR-s and support migration of other apps.
Including but not limited to:
Thanks !
The text was updated successfully, but these errors were encountered: