[Rack] Baron Security
Jonathan Lassoff
jof at thejof.com
Tue Jan 22 20:41:22 UTC 2013
Yup -- that's the right fix, methinks.
Thanks for helping look at that!
I'll sync this wisdom into git and github.
I was cleaning this all up with the groups and everything so that I can get
auto-generate Asterisk IAX2 user accounts for soft phones. If you have a
door code, you would then get a way to call into Noisebridge phones, as we
don't currently have a DID.
Cheers,
jof
On Tue, Jan 22, 2013 at 12:23 PM, Michael C. Toren <mct at toren.net> wrote:
> On Tue, Jan 22, 2013 at 12:01:01PM -0800, Michael C. Toren wrote:
> > (We could write a silly little C program to run as root that would call
> > setgid(), setgroups(), and setuid() before exec()ing baron, but I suspect
> > there's some standard-ish utility that does this already which we could
> > utilize.)
>
> I changed /etc/init/baron.conf to:
>
> # Use su(1) to set our desired UID/GID rather than upstart's
> setuid/setgid
> # stanzas, because upstart only sets the primary groups, ignoring
> all of the
> # supplementary groups. We need the baron process to be a member
> of both the
> # barons group to read the codes.txt file, the dialout group to
> read from the
> # TTY.
> setuid root
> exec su -c 'exec /usr/local/share/baron/noisebridge-baron/baron.py
> --codefile /usr/local/share/baron/codes.txt --port /dev/ttyS5 --logfile
> /usr/local/share/baron/baron.log' baron
>
> This works. But because su does a fork() before exec(), there are two
> processes in the process group:
>
> baron 11460 0.3 0.0 70824 2016 ? Ss 12:16 0:00
> su -c exec /usr/local/share/baron/noisebridge-baron/baron.py --codefile
> /usr/local/share/baron/codes.txt --port /dev/ttyS5 --logfile
> /usr/local/share/baron/baron.log baron
> baron 11467 6.3 0.4 46040 9600 ? S 12:16 0:00
> \_ /usr/bin/python /usr/local/share/baron/noisebridge-baron/baron.py
> --codefile /usr/local/share/baron/codes.txt --port /dev/ttyS5 --logfile
> /usr/local/share/baron/baron.log
>
> There doesn't seem to be any negative impact of this, though, and upstart
> is still able to stop/restart the service just fine.
>
> -mct
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.noisebridge.net/pipermail/rack/attachments/20130122/a7058467/attachment.html>
More information about the Rack
mailing list