Security Enforcement of Daemon (uid/gid+chroot)

[fpietrosanti]

In order to properly enforce security of the tor2web proxy, it must run with a dedicated uid/gid and automatically chroot into it's own directory.

Implementing this kind of feature require taking care of:

• fixing installation procedures
• handling location and permission of configuration files, digital certificates and of log files

Twisted support by default chroot by command line, it must be evaluated whenever it's better to chroot by twistd command line or from within the application.

Twisted support the following cmdline switch http://linux.die.net/man/1/twistd :

• --chroot
  Chroot to a supplied directory before running (default: don't chroot). Chrooting is done before changing the current directory.
• -u, --uid
  The uid to run as. (default: don't change)
• -g, --gid
  The gid to run as. (default: don't change)

Some good info on that are available on http://www.tsheffler.com/blog/?p=526

--- Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/14807251-security-enforcement-of-daemon-uid-gid-chroot?utm_campaign=plugin&utm_content=tracker%2F318575&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F318575&utm_medium=issues&utm_source=github).

[fpietrosanti]

Partially implemented (root privileges dropping)