Bugzilla – Bug 1227226
traefik2: systemd service should likely run as non-root
Last modified: 2024-07-12 13:52:21 UTC
The SUSE security monitors systemd service additions to openSUSE Tumbleweed, and we noticed the following addition last week: > RPM: traefik2-2.11.5-1.1.x86_64.rpm on x86_64 > Package: traefik2 > Service path: /usr/lib/systemd/system/traefik.service > Runs as: root:root > Extra capabilities: AmbientCapabilities=CAP_NET_BIND_SERVICE > Exec lines: > ExecStart=/usr/bin/traefik --configFile=/etc/traefik/traefik.toml It is confusing that this service runs as root but also requests CAP_NET_BIND_SERVICE, which makes no sense, when it already runs as root. Looking at the upstream contrib/ systemd service file it seems that the daemon is supposed to run as non-root, which would be much preferred. Please try to adjust the systemd service unit to let this daemon runs as a dedicated user. Thanks!
This behavior is present in traefik and traefik2 packages. Do you want to create a new issue or fix both packages in this?
If both packages are affected equally by this, then please address both. I am currently treating this as a hardening effort, so I wouldn't need an extra bug for the second package, except you would like to have one.
(In reply to Matthias Gerstner from comment #2) > If both packages are affected equally by this, then please address both. > > I am currently treating this as a hardening effort, so I wouldn't need an > extra bug for the second package, except you would like to have one. Not needed, I can address both at the same time, there's little difference between systemd unit files.