|
Bugzilla – Full Text Bug Listing |
| Summary: | traefik2: systemd service should likely run as non-root | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Matthias Gerstner <matthias.gerstner> |
| Component: | Audits | Assignee: | Alexandre Vicenzi <alexandre.vicenzi> |
| Status: | NEW --- | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P5 - None | CC: | alexandre.vicenzi |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
This behavior is present in traefik and traefik2 packages. Do you want to create a new issue or fix both packages in this? If both packages are affected equally by this, then please address both. I am currently treating this as a hardening effort, so I wouldn't need an extra bug for the second package, except you would like to have one. (In reply to Matthias Gerstner from comment #2) > If both packages are affected equally by this, then please address both. > > I am currently treating this as a hardening effort, so I wouldn't need an > extra bug for the second package, except you would like to have one. Not needed, I can address both at the same time, there's little difference between systemd unit files. |
The SUSE security monitors systemd service additions to openSUSE Tumbleweed, and we noticed the following addition last week: > RPM: traefik2-2.11.5-1.1.x86_64.rpm on x86_64 > Package: traefik2 > Service path: /usr/lib/systemd/system/traefik.service > Runs as: root:root > Extra capabilities: AmbientCapabilities=CAP_NET_BIND_SERVICE > Exec lines: > ExecStart=/usr/bin/traefik --configFile=/etc/traefik/traefik.toml It is confusing that this service runs as root but also requests CAP_NET_BIND_SERVICE, which makes no sense, when it already runs as root. Looking at the upstream contrib/ systemd service file it seems that the daemon is supposed to run as non-root, which would be much preferred. Please try to adjust the systemd service unit to let this daemon runs as a dedicated user. Thanks!