Bug#779708: Client for updating dynamic hostname mappings for dy.fi
On Thu, Mar 26, 2015 at 7:48 PM, Timo Juhani Lindfors timo.lindf...@iki.fi wrote: Eugene Zhukov jevgeni...@gmail.com writes: Would anyone be interested in sponsoring its client package: https://bugs.debian.org/780096 Some comments: 1) does dy.fi really require you to send the password in an unencrypted HTTP request? Just wanted to let you know, this is now fixed, I re-implemented request over https. -- To UNSUBSCRIBE, email to debian-wnpp-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/capqgmfjddp61nw-+fandynozaevl+qtcgvztt-hqjrohbcj...@mail.gmail.com
Bug#779708: Client for updating dynamic hostname mappings for dy.fi
Eugene Zhukov jevgeni...@gmail.com writes: I refactored the daemon so that it runs as dyfi user now with systemd-as-init. With SysV as init it still runs as root. It looks like too much hassle/effort to me since I'm not familiar with init scripting. If you think it's a must, I can implement privileges-drop for SysV, otherwise could you please upload it to NEW? At least currently I lack the time to sponsor uploads, sorry. -- To UNSUBSCRIBE, email to debian-wnpp-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/84twx3so6t@sauna.l.org
Bug#779708: Client for updating dynamic hostname mappings for dy.fi
On Sun, Mar 29, 2015 at 8:34 PM, Timo Juhani Lindfors timo.lindf...@iki.fi wrote: Eugene Zhukov jevgeni...@gmail.com writes: I refactored the daemon so that it runs as dyfi user now with systemd-as-init. With SysV as init it still runs as root. It looks like too much hassle/effort to me since I'm not familiar with init scripting. If you think it's a must, I can implement privileges-drop for SysV, otherwise could you please upload it to NEW? At least currently I lack the time to sponsor uploads, sorry. No problem, thanks for valuable input anyway. Eugene -- To UNSUBSCRIBE, email to debian-wnpp-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAPqGMfKJ9x5-C-cTYO2a7Jwv5hBtatxwNXi2Z4e812t=ex2...@mail.gmail.com
Bug#779708: Client for updating dynamic hostname mappings for dy.fi
On Thu, Mar 26, 2015 at 11:20 PM, Timo Juhani Lindfors timo.lindf...@iki.fi wrote: Eugene Zhukov jevgeni...@gmail.com writes: 2) Does the service really need to run as root? No, and this is even mentioned in upstream readme. It needs to create a pid file though. Any hint/pointer on how to change the packaging to not run it as root? You probably need to create a new user in the packaging. Then modify the daemon to implement --user username option that drops the privileges after writing the pid file and reading the configuration file. Quick google finds http://search.cpan.org/~tlbdk/Privileges-Drop-1.03/lib/Privileges/Drop.pm which seems to be in debian as libprivileges-drop-perl. I refactored the daemon so that it runs as dyfi user now with systemd-as-init. With SysV as init it still runs as root. It looks like too much hassle/effort to me since I'm not familiar with init scripting. If you think it's a must, I can implement privileges-drop for SysV, otherwise could you please upload it to NEW? Thank you very much for the hints, Eugene -- To UNSUBSCRIBE, email to debian-wnpp-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/capqgmfjkodc25dyrmzxnr5exgge087pa+v+9hfpwzdtpvyk...@mail.gmail.com
Bug#779708: Client for updating dynamic hostname mappings for dy.fi
Eugene Zhukov jevgeni...@gmail.com writes: 2) Does the service really need to run as root? No, and this is even mentioned in upstream readme. It needs to create a pid file though. Any hint/pointer on how to change the packaging to not run it as root? You probably need to create a new user in the packaging. Then modify the daemon to implement --user username option that drops the privileges after writing the pid file and reading the configuration file. Quick google finds http://search.cpan.org/~tlbdk/Privileges-Drop-1.03/lib/Privileges/Drop.pm which seems to be in debian as libprivileges-drop-perl. db_get dyfi/password sed -i s/^Password.*/Password $RET/ /etc/dyfi-update.conf in debian/postinst let all local users to see the password if they type ps axuf at the right moment? Probably, but do I need to care about that? The targeted audience of the service is home or small office I assume. That of course depends on the situation indeed. -- To UNSUBSCRIBE, email to debian-wnpp-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/84iodntq07@sauna.l.org
Bug#779708: Client for updating dynamic hostname mappings for dy.fi
First of, thank you very much for review! On Thu, Mar 26, 2015 at 7:48 PM, Timo Juhani Lindfors timo.lindf...@iki.fi wrote: Eugene Zhukov jevgeni...@gmail.com writes: Would anyone be interested in sponsoring its client package: https://bugs.debian.org/780096 Some comments: 1) does dy.fi really require you to send the password in an unencrypted HTTP request? Yes, that's upstream implementation (a very old one though). 2) Does the service really need to run as root? No, and this is even mentioned in upstream readme. It needs to create a pid file though. Any hint/pointer on how to change the packaging to not run it as root? 3) Doesn't db_get dyfi/password sed -i s/^Password.*/Password $RET/ /etc/dyfi-update.conf in debian/postinst let all local users to see the password if they type ps axuf at the right moment? Probably, but do I need to care about that? The targeted audience of the service is home or small office I assume. Thanks for looking at this from the security perspective! Eugene -- To UNSUBSCRIBE, email to debian-wnpp-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAPqGMfJwT_pbDwuACTvL3vkDgk1thNGWdXZkVipffvMhck=k...@mail.gmail.com
Bug#779708: Client for updating dynamic hostname mappings for dy.fi
Eugene Zhukov jevgeni...@gmail.com writes: Would anyone be interested in sponsoring its client package: https://bugs.debian.org/780096 Some comments: 1) does dy.fi really require you to send the password in an unencrypted HTTP request? 2) Does the service really need to run as root? 3) Doesn't db_get dyfi/password sed -i s/^Password.*/Password $RET/ /etc/dyfi-update.conf in debian/postinst let all local users to see the password if they type ps axuf at the right moment? -- To UNSUBSCRIBE, email to debian-wnpp-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/84mw2ztzso@sauna.l.org
