Bug 1216373

Summary: VUL-0: shadowsocks-rust: systemd services run unnecessarily as root with full privileges
Product: [openSUSE] openSUSE Tumbleweed Reporter: Matthias Gerstner <matthias.gerstner>
Component: SecurityAssignee: Hillwood Yang <hillwoodroc>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1212862    

Description Matthias Gerstner 2023-10-18 11:39:04 UTC 
+++ This bug was initially created as a clone of Bug #1212862

While reviewing shadowsocks-rust I noticed that our packaging provides systemd
services that let the various daemons runs with full root privileges.

The daemons don't actually need root privileges. At most they need the
capability CAP_NET_BIND_SERVICE to listen on ports lower 1024. The upstream
repository contains example systemd services beneath the debian/ directory
that seem to be smarter than what we have:

shadowsocks-rust.service: this lets the service run as nobody:nogroup

shadowsocks-rust-server@.service: this allows running multiple configurations
of the service. The privilege drop logic is unclear though, the service still
runs as root, but with a capability bounding set of CAP_NET_BIND_SERVICE. This
is a bit of a strange setup though, a root user that has lost most of its
capabilities. I am unsure whether this is sufficient isolation.

For addressing this also bug 1216372 about the world readable configuration
directory and configuration files should be kept in mind. Introducing a
dedicated user and group for shadowsocks that has read access to these files
might be the cleanest approach.
Comment 1 OBSbugzilla Bot 2023-10-24 07:35:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1216373) was mentioned in
https://build.opensuse.org/request/show/1119866 Factory / shadowsocks-rust
Comment 2 OBSbugzilla Bot 2023-10-26 08:35:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1216373) was mentioned in
https://build.opensuse.org/request/show/1120484 Factory / shadowsocks-rust
Comment 3 Matthias Gerstner 2023-11-15 10:33:21 UTC 
The daemons now all run as dedicated shadowsocks user and group so this should
be addressed.
Comment 4 OBSbugzilla Bot 2023-12-15 13:35:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1216373) was mentioned in
https://build.opensuse.org/request/show/1133426 Backports:SLE-15-SP4 / shadowsocks-libev
https://build.opensuse.org/request/show/1133428 Backports:SLE-15-SP5 / shadowsocks-libev
Comment 5 Marcus Meissner 2023-12-18 05:04:55 UTC 
openSUSE-RU-2023:0408-1: An update that has two recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1216372,1216373
CVE References: 
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP4 (src):    shadowsocks-libev-3.3.5-bp154.3.3.1
Comment 6 Marcus Meissner 2023-12-21 20:04:54 UTC 
openSUSE-RU-2023:0412-1: An update that has two recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1216372,1216373
CVE References: 
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP5 (src):    shadowsocks-libev-3.3.5-bp155.4.3.1
Comment 7 Matthias Gerstner 2024-01-16 12:55:59 UTC 
The service units now use proper privilege drops to the shadowsocks user and
group