[Rack] Baron Security
Jonathan Lassoff
jof at thejof.com
Tue Jan 22 09:57:55 UTC 2013
I was looking at baron on minotaur tonight and thought that some of the
permissions were a bit too open for the codes and log file.
Maybe we should rotate or truncate the log after a while? Seems like we're
collecting info on users' comings and goings, and there's no real reason to
keep that forever.
I think we should use the existing "barons" group for allowing access to
modify the daemons state.
So, I did:
sudo chmod 0660 /usr/local/share/baron/codes.txt (owned by root / barons)
sudo chmod 0640 /usr/local/share/baron/baron.log (owned by root / root)
The daemon is already running as root (lulz)
`--> ps aux ...
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.1 24596 2556 ? Ss Jan09 0:08 /sbin/init
[...snip...]
root 1637 0.0 0.5 56724 10656 ? Ss Jan09 0:27
/usr/bin/python /usr/local/share/baron/noisebridge-baron/baron.py
--codefile /usr/local/share/baron/codes.txt --port /dev/ttyS5 --logfile
/usr/local/share/baron/baron.log
I added a baron user:
sudo useradd -G barons --shell /bin/sh --home-dir /nonexistant
--no-create-home --no-user-group baron
and then added a "setuid baron" and "setgid barons" line to
/etc/init/baron.conf
I pushed this change and a readme to github as well:
https://github.com/noisebridge/noisebridge-baron/commit/29f4dc6003bdc876dd7b50c8c6ee2df75e1478a1
Now, I just need to figure out how to handle getting the daemon to reopen
logfiles in response to a signal, so logrotate can truncate cleanly.
--j
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.noisebridge.net/pipermail/rack/attachments/20130122/f37dd98d/attachment-0002.html>
More information about the Rack
mailing list