Bug 1216373 - VUL-0: shadowsocks-rust: systemd services run unnecessarily as root with full privileges
Summary: VUL-0: shadowsocks-rust: systemd services run unnecessarily as root with full...
Status: RESOLVED FIXED
Alias: None
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security (show other bugs)
Version: Current
Hardware: Other Other
: P3 - Medium : Normal (vote)
Target Milestone: ---
Assignee: Hillwood Yang
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 1212862
  Show dependency treegraph
 
Reported: 2023-10-18 11:39 UTC by Matthias Gerstner
Modified: 2024-01-16 12:55 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Gerstner 2023-10-18 11:39:04 UTC 
+++ This bug was initially created as a clone of Bug #1212862

While reviewing shadowsocks-rust I noticed that our packaging provides systemd
services that let the various daemons runs with full root privileges.

The daemons don't actually need root privileges. At most they need the
capability CAP_NET_BIND_SERVICE to listen on ports lower 1024. The upstream
repository contains example systemd services beneath the debian/ directory
that seem to be smarter than what we have:

shadowsocks-rust.service: this lets the service run as nobody:nogroup

shadowsocks-rust-server@.service: this allows running multiple configurations
of the service. The privilege drop logic is unclear though, the service still
runs as root, but with a capability bounding set of CAP_NET_BIND_SERVICE. This
is a bit of a strange setup though, a root user that has lost most of its
capabilities. I am unsure whether this is sufficient isolation.

For addressing this also bug 1216372 about the world readable configuration
directory and configuration files should be kept in mind. Introducing a
dedicated user and group for shadowsocks that has read access to these files
might be the cleanest approach.
Comment 1 OBSbugzilla Bot 2023-10-24 07:35:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1216373) was mentioned in
https://build.opensuse.org/request/show/1119866 Factory / shadowsocks-rust
Comment 2 OBSbugzilla Bot 2023-10-26 08:35:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1216373) was mentioned in
https://build.opensuse.org/request/show/1120484 Factory / shadowsocks-rust
Comment 3 Matthias Gerstner 2023-11-15 10:33:21 UTC 
The daemons now all run as dedicated shadowsocks user and group so this should
be addressed.
Comment 4 OBSbugzilla Bot 2023-12-15 13:35:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1216373) was mentioned in
https://build.opensuse.org/request/show/1133426 Backports:SLE-15-SP4 / shadowsocks-libev
https://build.opensuse.org/request/show/1133428 Backports:SLE-15-SP5 / shadowsocks-libev
Comment 5 Marcus Meissner 2023-12-18 05:04:55 UTC 
openSUSE-RU-2023:0408-1: An update that has two recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1216372,1216373
CVE References: 
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP4 (src):    shadowsocks-libev-3.3.5-bp154.3.3.1
Comment 6 Marcus Meissner 2023-12-21 20:04:54 UTC 
openSUSE-RU-2023:0412-1: An update that has two recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1216372,1216373
CVE References: 
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP5 (src):    shadowsocks-libev-3.3.5-bp155.4.3.1
Comment 7 Matthias Gerstner 2024-01-16 12:55:59 UTC 
The service units now use proper privilege drops to the shadowsocks user and
group