On Wed, May 18, 2016 at 9:25 AM, John Crispin <j...@phrozen.org> wrote: > > to elaborate, imagine dnsmasq running inside a jailm where ut only > thinks it is root but is not in reality. also ld-preloading bind and > connect would allow us to do pretty adavnced stuff like only allowing > dnsmasq to open certain ports. essentially an acl around the > bind/connect calls. >
Doing this with a in-house developed daemon would introduce another SPOF in the same way as running everyting with the same non-root user. Imagine a security issue in such a daemon, it would affect *all* daemons running through it. This would also duplicate existing functionality (the code for dropping privileges to a preconfigured user already exists in most daemons, it is compiled as there is no --without-privileges-code ./configure option). Implementing different users with this approach can be done in a few easy steps with minor to none added overhead: step 1. add users to /etc/passwd (in the pre/post-install script probably, trying to use same uid/gid as major distributions would be nice) step 2. add config option for user/group in the relevant /etc/config/ file step 3. modify startup script to use the user/group options when generating daemon config file step 4. ??? step 5. PROFIT! I understand there are trust issues about this functionality (don't trust that the daemon really dropped all privileges), in such a case I would use SELinux. SELinux can be enabled as "permissive" until a proper policy is created for everything. There are other things to consider also, because this is supposed to run on embedded devices with as low as 4M flash space: - SELinux would increase kernel size, thus making it hard to fit inside the flash, or even bigger than the fixed kernel partition for some devices. - jails, containers and other options discussed require more memory/CPU/flash space than is probably available on said devices. Radu _______________________________________________ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev