[Rack] Baron Security

Danny O'Brien danny at spesh.com
Tue Jan 22 19:19:55 UTC 2013 

Aha!

Jof, could you fix your thing? It is borken -- the script doesn't have
enough permissions to write to its own log (fixed) and ttySwhatever (which
still needs to be fixed)

d.


On Tue, Jan 22, 2013 at 1:57 AM, Jonathan Lassoff <jof at thejof.com> wrote:

> I was looking at baron on minotaur tonight and thought that some of the
> permissions were a bit too open for the codes and log file.
>
> Maybe we should rotate or truncate the log after a while? Seems like we're
> collecting info on users' comings and goings, and there's no real reason to
> keep that forever.
>
>
> I think we should use the existing "barons" group for allowing access to
> modify the daemons state.
>
> So, I did:
>
> sudo chmod 0660 /usr/local/share/baron/codes.txt (owned by root / barons)
> sudo chmod 0640 /usr/local/share/baron/baron.log (owned by root / root)
>
> The daemon is already running as root (lulz)
>
> `--> ps aux ...
> USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
> root         1  0.0  0.1  24596  2556 ?        Ss   Jan09   0:08 /sbin/init
> [...snip...]
> root      1637  0.0  0.5  56724 10656 ?        Ss   Jan09   0:27
> /usr/bin/python /usr/local/share/baron/noisebridge-baron/baron.py
> --codefile /usr/local/share/baron/codes.txt --port /dev/ttyS5 --logfile
> /usr/local/share/baron/baron.log
>
> I added a baron user:
>
> sudo useradd -G barons --shell /bin/sh --home-dir /nonexistant
> --no-create-home --no-user-group baron
>
> and then added a "setuid baron" and "setgid barons" line to
> /etc/init/baron.conf
>
>
>
> I pushed this change and a readme to github as well:
>
>
> https://github.com/noisebridge/noisebridge-baron/commit/29f4dc6003bdc876dd7b50c8c6ee2df75e1478a1
>
>
> Now, I just need to figure out how to handle getting the daemon to reopen
> logfiles in response to a signal, so logrotate can truncate cleanly.
>
> --j
>
> _______________________________________________
> Rack mailing list
> Rack at lists.noisebridge.net
> https://www.noisebridge.net/mailman/listinfo/rack
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.noisebridge.net/pipermail/rack/attachments/20130122/fbd0451c/attachment.html>

More information about the Rack mailing list