Re: [B.A.T.M.A.N.] running alfred as unprivileged user

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Simon Wunderlich <sw@simonwunderlich.de>
To: b.a.t.m.a.n@lists.open-mesh.org
Cc: MK <mailing.m1@kkk-web.de>
Subject: Re: [B.A.T.M.A.N.] running alfred as unprivileged user
Date: Thu, 05 Feb 2015 13:29:23 +0100	[thread overview]
Message-ID: <1928822.H2LaTFtYz1@prime> (raw)
In-Reply-To: <matu4b$lak$1@ger.gmane.org>

[-- Attachment #1: Type: text/plain, Size: 811 bytes --]

Hi Martin,

On Wednesday 04 February 2015 21:06:33 MK wrote:
> Hi list!
> 
> Alfred daemon runs as user root in our current setup on the gateway.
> 
> Regarding the faulty buffer size checks and improper use of strcpy in recent
> history of this software this seems to be a very bad idea.

that's a good point.
> 
> What are the requirements for the user running alfred? Which elevated
> privileges does alfred really need? Is it possible to drop the privileges
> after setting up the interface bindings?

What spontaneously comes to my mind would be:

 * network socket to send/receive UDP packets
 * unix socket to talk to clients (but that may be changed by using a different 
path)
 * access to debugfs to get batman information

Patches are very welcome to implement dropping privileges.

Thanks,
    Simon

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

next prev parent reply	other threads:[~2015-02-05 12:29 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-02-04 20:06 [B.A.T.M.A.N.] running alfred as unprivileged user MK
2015-02-05 12:29 ` Simon Wunderlich [this message]
2015-02-06 19:26   ` MK

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1928822.H2LaTFtYz1@prime \
    --to=sw@simonwunderlich.de \
    --cc=b.a.t.m.a.n@lists.open-mesh.org \
    --cc=mailing.m1@kkk-web.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.