search

EGI-Federation / bdii

Berkeley Database Information Index
Apache License 2.0
8 stars 8 forks source link

BDII Services insecure/unecessary exposed due to elevated capabilities/roles #65

Open thdesy opened 1 month ago

thdesy commented 1 month ago

Short Description of the issue

bdii.srvice, bdii-slapd.service are uneccessarily exposed and potentially insecure due to elevated roles & permissions required, i.e., requirering as root with runuser requiring all system capabilities

Environment

Description

The bdii and bdii-slapd services have to be run under root, no service set up on a constraint user is possible, e.g.,

> cat /etc/systemd/system/bdii.service.d/01-user.conf
[Service]
User=ldap
Group=ldap

also no dropping of capabilities is possible, e.g.

> cat /etc/systemd/system/bdii.service.d/02-capsconf
[Service]
#CapabilityBoundingSet=CAP_KILL CAP_CHOWN                                                                                                                                                                                                                  
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE

Presumed cause

The default service seems to reuse a SysV run script, that relies on runuser to drop from root to the ldap user. 

> cat /usr/lib/systemd/system/bdii.service
[Unit]
Description=Berkeley Database Information Index
Documentation=man:bdii-update(1)
After=bdii-slapd.service
Requires=bdii-slapd.service
BindsTo=bdii-slapd.service

[Service]
Type=forking
PIDFile=/run/bdii/bdii-update.pid
EnvironmentFile=-/etc/sysconfig/bdii
ExecStart=/bin/sh -c ' \
  BDII_CONF=$${BDII_CONF:-/etc/bdii/bdii.conf} ; \
  [ -r "$${BDII_CONF}" ] && . "$${BDII_CONF}" ; \
  BDII_USER=$${BDII_USER:-ldap} ; \
  BDII_UPDATE=$${BDII_UPDATE:-/usr/sbin/bdii-update} ; \
  export SLAPD_CONF=$${SLAPD_CONF:-/etc/bdii/bdii-slapd.conf} ; \
  /sbin/runuser -s /bin/sh $${BDII_USER} -c "$${BDII_UPDATE} -c $${BDII_CONF} -d ; sleep 2" \
'

[Install]
WantedBy=multi-user.target
gwarf commented 1 month ago

Dear @thdesy, thanks for the report! If you are willing to, or if you already made some local tests and changes, we would welcome a PR regarding this issue.