Date: Mon, 5 Nov 2001 21:40:42 +0000 From: David Taylor <davidt@yadt.co.uk> To: Kutulu <kutulu@kutulu.org> Cc: Clive Lin <clive@tongi.org>, ijliao@FreeBSD.ORG, freebsd-ports@FreeBSD.ORG Subject: Re: ports/30431: ircd-hybrid fails to open logfile when started as root and running as non-root Message-ID: <20011105214042.B5777@gattaca.yadt.co.uk> In-Reply-To: <20011105155725.A96337@pr0n.kutulu.org>; from kutulu@kutulu.org on Mon, Nov 05, 2001 at 15:57:25 -0500 References: <200110201346.f9KDkoH94175@freefall.freebsd.org> <20011020235846.A65605@cartier.cirx.org> <001c01c15981$a3614a40$88682518@longhill1.md.home.com> <20011020175246.A60977@gattaca.yadt.co.uk> <20011021194658.A3397@malloc.eb.kliev.net> <20011105165431.A93095@gattaca.yadt.co.uk> <20011105155725.A96337@pr0n.kutulu.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 05 Nov 2001, Kutulu wrote: > On Mon, Nov 05, 2001 at 04:54:31PM +0000, David Taylor wrote: > > On Sun, 21 Oct 2001, Clive Lin wrote: > > > Well, the official position of the hybrid team is that the SUID code > > shouldn't be used, and ircd should be run as a seperate user (e.g. ircd), > > which should own the logfiles. It might also be an idea to set up resource > > Actually, I'm not using the SUID code. I've defined a UID and GID in the > config file for ircd to run as. It's not suid anything, but it's started > as root and drops privs as soon as possible. I understand that the > hybrid teams strongly recommends against the SUID code, but does that > include starting a non-suid ircd as root and having it drop it's privs? Yes. By SUID code I was referring to the code that detects when it's running as root, and attempts to call set*uid() to change uids, since (IIRC, which I probably don't) there was a define of a similar name, in some version of hybrid. > As far as ircd owning the log files, I'm mostly just trying to keep them > all in one place, specifically /var/log with the rest of my log files. I'm > not sure which is less secure: having root own the ircd log file, > or allowing the ircd user to write to /var/log... Well, I'd recommend creating a /var/log/ircd/ or /usr/local/etc/ircd/log directory, or something similar, which is owned by ircd, since ircd will possibly want to create multiple log files, possibly creating a new one each day (e.g. gline logfiles). > > I'd say applying the patch anyway would be a good idea, but i'm hesitant to > > start doing lots more before dropping privileges, as i'm not sure of the > > security implications... > > I'm curious what the hybrid teams position on this is as well. Most other > system daemons that run unpriviledged (named, httpd, ftpd, etc) start as > root, bind to the sockets, open their log files, they drop privs to > their 'run-as-me' user, so I can't see how it would be any worse for > ircd. If there's something more insidious going on, please let me know so > I can stop doing it :) The main difference is that httpd/named/ftpd (usually) bind to ports 80/53/21 (all <1024) where as ircd (usually) binds to port 6667. The other daemons _need_ to run as root to bind to the privileged ports, ircd has no such need. Also, as I said above, ircd may attempt to open a new logfile (e.g. gline.log.YYYYMMDD) after it has started up and dropped privileges. The only (semi-)valid use of the IRCD_UID/GID code that I am aware of is if you want ircd to bind to a <1024 port, which is pointless, and possibly won't work anyway. -- David Taylor davidt@yadt.co.uk To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011105214042.B5777>