[Rack] Baron Security

Jonathan Lassoff jof at thejof.com
Tue Jan 22 20:41:22 UTC 2013 

Yup -- that's the right fix, methinks.

Thanks for helping look at that!

I'll sync this wisdom into git and github.


I was cleaning this all up with the groups and everything so that I can get
auto-generate Asterisk IAX2 user accounts for soft phones. If you have a
door code, you would then get a way to call into Noisebridge phones, as we
don't currently have a DID.

Cheers,
jof

On Tue, Jan 22, 2013 at 12:23 PM, Michael C. Toren <mct at toren.net> wrote:

> On Tue, Jan 22, 2013 at 12:01:01PM -0800, Michael C. Toren wrote:
> > (We could write a silly little C program to run as root that would call
> > setgid(), setgroups(), and setuid() before exec()ing baron, but I suspect
> > there's some standard-ish utility that does this already which we could
> > utilize.)
>
> I changed /etc/init/baron.conf to:
>
>         # Use su(1) to set our desired UID/GID rather than upstart's
> setuid/setgid
>         # stanzas, because upstart only sets the primary groups, ignoring
> all of the
>         # supplementary groups.  We need the baron process to be a member
> of both the
>         # barons group to read the codes.txt file, the dialout group to
> read from the
>         # TTY.
>         setuid root
>         exec su -c 'exec /usr/local/share/baron/noisebridge-baron/baron.py
> --codefile /usr/local/share/baron/codes.txt --port /dev/ttyS5 --logfile
> /usr/local/share/baron/baron.log' baron
>
> This works. But because su does a fork() before exec(), there are two
> processes in the process group:
>
>         baron    11460  0.3  0.0  70824  2016 ?        Ss   12:16   0:00
> su -c exec /usr/local/share/baron/noisebridge-baron/baron.py --codefile
> /usr/local/share/baron/codes.txt --port /dev/ttyS5 --logfile
> /usr/local/share/baron/baron.log baron
>         baron    11467  6.3  0.4  46040  9600 ?        S    12:16   0:00
>  \_ /usr/bin/python /usr/local/share/baron/noisebridge-baron/baron.py
> --codefile /usr/local/share/baron/codes.txt --port /dev/ttyS5 --logfile
> /usr/local/share/baron/baron.log
>
> There doesn't seem to be any negative impact of this, though, and upstart
> is still able to stop/restart the service just fine.
>
> -mct
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.noisebridge.net/pipermail/rack/attachments/20130122/a7058467/attachment.html>

More information about the Rack mailing list