Bug#832758: irkerd.service runs irkerd as root (should run as user "irker")

[anarcat]

Control: tags -1 +pending
Control: forwarded https://gitlab.com/esr/irker/merge_requests/15

The following patch should fix that problem:

commit 1980b7cb4239463b581579cc39480774d3e2d2fe
Author: Antoine Beaupré 
Date:   Mon Sep 12 12:01:44 2016 -0400

run daemon as the irker user (Close: #832758)

this is an improvement upon the default .service file. it requires a
irker user to be created, something which is automatically handled by
the debian package, but should be handled by other distributions when
deploying the .service file.

there are obvious dangers in running irkerd as root: a compromise
would be catastrophic, and since it runs on public servers that are
traditionnally pretty hostile (IRC), it seems critical that rights of
the daemon be limited.

diff --git a/irkerd.service b/irkerd.service
index d19378b..82f39b0 100644
--- a/irkerd.service
+++ b/irkerd.service
@@ -7,6 +7,7 @@ Requires=network.target
 
 [Service]
 ExecStart=/usr/bin/irkerd
+User=irker
 
 [Install]
 WantedBy=multi-user.target

I have forwarded it upstream as well.

A.


signature.asc
Description: Digital signature

Bug#832758: irkerd.service runs irkerd as root (should run as user "irker")

[Daniel Kahn Gillmor]

Package: irker
Version: 2.18+dfsg-1
Severity: normal
Tags: patch

Dear Maintainer,

When systemd tries to launch irkerd, it runs it as root.

This is a Bad Idea.

Please add a User=irker line to the [Service] section of
irkerd.service.

Regards,

--dkg

-- System Information:
Debian Release: stretch/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (200, 
'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.6.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)