* [Buildroot] [PATCH 1/1] package/bird: add a unprivileged user
@ 2019-02-05 10:56 Adrien Gallouët
2019-03-17 16:49 ` Thomas Petazzoni
0 siblings, 1 reply; 5+ messages in thread
From: Adrien Gallouët @ 2019-02-05 10:56 UTC (permalink / raw)
To: buildroot
This commit add a specific unprivileged user for BIRD
to avoid full root privileges while running.
Signed-off-by: Adrien Gallou?t <adrien@gallouet.fr>
---
package/bird/bird.mk | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/package/bird/bird.mk b/package/bird/bird.mk
index da2f868070..8091644108 100644
--- a/package/bird/bird.mk
+++ b/package/bird/bird.mk
@@ -17,4 +17,12 @@ else
BIRD_CONF_OPTS += --disable-client
endif
+define BIRD_USERS
+ bird -1 bird -1 * - - - BIRD unprivileged user
+endef
+
+define BIRD_PERMISSIONS
+ /etc/bird.conf r 600 bird bird - - - - -
+endef
+
$(eval $(autotools-package))
--
2.19.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 1/1] package/bird: add a unprivileged user
2019-02-05 10:56 [Buildroot] [PATCH 1/1] package/bird: add a unprivileged user Adrien Gallouët
@ 2019-03-17 16:49 ` Thomas Petazzoni
2019-03-17 19:56 ` Adrien Gallouët
0 siblings, 1 reply; 5+ messages in thread
From: Thomas Petazzoni @ 2019-03-17 16:49 UTC (permalink / raw)
To: buildroot
Hello Adrien,
On Tue, 5 Feb 2019 10:56:31 +0000
Adrien Gallou?t <adrien@gallouet.fr> wrote:
> This commit add a specific unprivileged user for BIRD
> to avoid full root privileges while running.
>
> Signed-off-by: Adrien Gallou?t <adrien@gallouet.fr>
Could you give a few more details on how/where this new user gets
used ? Your patch only creates it, but it doesn't tweak any init script
or configuration file that would tell the daemon to be started using
this unprivileged user.
Could you provide a bit more details ?
Thanks!
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 1/1] package/bird: add a unprivileged user
2019-03-17 16:49 ` Thomas Petazzoni
@ 2019-03-17 19:56 ` Adrien Gallouët
2019-03-18 10:05 ` Thomas Petazzoni
0 siblings, 1 reply; 5+ messages in thread
From: Adrien Gallouët @ 2019-03-17 19:56 UTC (permalink / raw)
To: buildroot
On Sun, Mar 17, 2019 at 5:49 PM Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> Hello Adrien,
>
> On Tue, 5 Feb 2019 10:56:31 +0000
> Adrien Gallou?t <adrien@gallouet.fr> wrote:
>
> > This commit add a specific unprivileged user for BIRD
> > to avoid full root privileges while running.
> >
> > Signed-off-by: Adrien Gallou?t <adrien@gallouet.fr>
>
> Could you give a few more details on how/where this new user gets
> used ? Your patch only creates it, but it doesn't tweak any init script
> or configuration file that would tell the daemon to be started using
> this unprivileged user.
>
> Could you provide a bit more details ?
>
> Thanks!
>
> Thomas
> --
> Thomas Petazzoni, CTO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com
Hi Thomas,
I use BIRD with s6 on production and I didn't take the time
to write a correct start-stop-daemon script for it yet. In all cases,
BIRD only needs root privileges at startup and he can switch
to a less privileged one when started with -u USER -g GROUP.
If your prefer to wait, I'll resubmit a patch with the start-stop-daemon
script later.
Best regards.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 1/1] package/bird: add a unprivileged user
2019-03-17 19:56 ` Adrien Gallouët
@ 2019-03-18 10:05 ` Thomas Petazzoni
2019-06-23 16:10 ` Thomas Petazzoni
0 siblings, 1 reply; 5+ messages in thread
From: Thomas Petazzoni @ 2019-03-18 10:05 UTC (permalink / raw)
To: buildroot
Hello Adrien,
Thanks for the feedback.
On Sun, 17 Mar 2019 20:56:16 +0100
> I use BIRD with s6 on production and I didn't take the time
> to write a correct start-stop-daemon script for it yet. In all cases,
> BIRD only needs root privileges at startup and he can switch
> to a less privileged one when started with -u USER -g GROUP.
>
> If your prefer to wait, I'll resubmit a patch with the start-stop-daemon
> script later.
Yes, indeed, I think it makes more sense to have the new user created
together with an init script that actually uses it.
Thanks!
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 1/1] package/bird: add a unprivileged user
2019-03-18 10:05 ` Thomas Petazzoni
@ 2019-06-23 16:10 ` Thomas Petazzoni
0 siblings, 0 replies; 5+ messages in thread
From: Thomas Petazzoni @ 2019-06-23 16:10 UTC (permalink / raw)
To: buildroot
On Mon, 18 Mar 2019 11:05:47 +0100
Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote:
> > If your prefer to wait, I'll resubmit a patch with the start-stop-daemon
> > script later.
>
> Yes, indeed, I think it makes more sense to have the new user created
> together with an init script that actually uses it.
Unless I missed it, we didn't receive a new patch that adds the init
script for bird. I'm now going to mark the "package/bird: add a
unprivileged user" patch as "Changes Requested" in patchwork. So if you
don't resubmit a new patch, we will forget about this topic.
Thanks!
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-06-23 16:10 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-02-05 10:56 [Buildroot] [PATCH 1/1] package/bird: add a unprivileged user Adrien Gallouët
2019-03-17 16:49 ` Thomas Petazzoni
2019-03-17 19:56 ` Adrien Gallouët
2019-03-18 10:05 ` Thomas Petazzoni
2019-06-23 16:10 ` Thomas Petazzoni
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.