delay root requirement #204
Comments
|
Yes, I was kind of waiting for a reason to implement this and have been thinking about it for quite some time. A lot of time will need to be spent analyzing the attack surface as it becomes much harder ensure a safe operating environment when you are running as root and the client's previously generated files aren't necessarily protected.... or you are running as a normal user and you don't have permission to edit anything (though this is much easier to detect :)) |
|
working on that. well, kind of blocked on that. I tried to call require_root in configurator and reverter classes, but then the tests fail as they are run without root (because when invoked from tests they don't need root). this brings up the issue that we basically do not know which permissions / which euid the code in these classes need. i somehow got the feeling that checking permissions (and doing a failure exit) before trying might be the wrong / rather inflexible approach and just trying (and failing) might be better / more flexible. @jdkasten and me discussed a bit on irc about that, trying to extract the essentials: TW you could run apache non-root on highport and port-forward 443 to it JDK fairly delicate situation and it will be extremely easy to make a privilege escalation vuln. TW what would happen if we do not check? could it proceed to point x, stumble and rollback? JDK The input can be extremely sensitive and I would like to reduce the attack surface as much as possible. I wrote up a little bit about it here... |
|
FYI code in |
currently, the code checks rather early for running as uid 0 and terminates letsencrypt if it is not running as root.
this code should be put in a function "require_root" (or so) and calls to that should be put at all places where it is clear that it can't continue without root.
see also #200 - that does not require root (in fact, it doesn't require much at all, except being able to modify DNS somehow).
The text was updated successfully, but these errors were encountered: