Running as non-root

[alarig]

Hi,

I tried to make an ebuild (and the associated init file) for FORT, but I don’t see any option to change the user after the binding. If I use the start-stop-daemon, FORT can’t bind to port 323 as it’s less than 1024. And of course, I don’t want to run FORT as root.

Regards, -- Alarig

[rfc1036]

In the Debian package we have a systemd unit with quite some sandboxing and which uses CAP_NET_BIND_SERVICE to support using an unprivileged user: https://salsa.debian.org/md/fort-validator/blob/master/debian/fort.service

[pcarana]

Currently there's no available configuration to do this via args, but that's something that we'll add to our TO-DO list.

Thanks @rfc1036 for the example.

[alarig]

Thanks for the pointer to filecaps, I added it to my ebuild and now it works:

msi ~ # rc-service fort start
 * Caching service dependencies ...                                                                                               [ ok ]
 * /var/lib/fort/: correcting mode
 * /var/lib/fort/: correcting owner
 * Starting fort validator daemon ...                                                                                                [ ok ]

And then htop outputs

10040 fort       20   0  365M  1804  1392 S 28.1  0.1  0:00.42 ├─ /usr/bin/fort --tal /usr/share/fort/tal/ --local-repository /var/lib/fort/ --log.output syslog
10057 fort       20   0  108M  8248  2668 S 24.7  0.4  0:01.45 │  ├─ rsync --recursive --delete --times --contimeout=20 rsync://rpki.ripe.net/repository /var/lib/fort/rpki.ripe.net/
10060 fort       20   0  209M  7424  1376 S 32.1  0.4  0:02.61 │  │  └─ rsync --recursive --delete --times --contimeout=20 rsync://rpki.ripe.net/repository /var/lib/fort/rpki.ripe.n
10052 fort       20   0 80224  5708  2636 S  1.3  0.3  0:00.15 │  ├─ rsync --recursive --delete --times --contimeout=20 rsync://repository.lacnic.net/rpki /var/lib/fort/repository.l
10064 fort       20   0  139M  4324  1404 S  4.0  0.2  0:00.21 │  │  └─ rsync --recursive --delete --times --contimeout=20 rsync://repository.lacnic.net/rpki /var/lib/fort/repositor
10051 fort       20   0  8756  3088  2600 S  0.0  0.2  0:00.01 │  ├─ rsync --recursive --delete --times --contimeout=20 rsync://rpki.apnic.net/repository /var/lib/fort/rpki.apnic.ne
10065 fort       20   0 10836  1672  1168 S  0.0  0.1  0:00.01 │  │  └─ rsync --recursive --delete --times --contimeout=20 rsync://rpki.apnic.net/repository /var/lib/fort/rpki.apnic
10048 fort       20   0  365M  1804  1392 R 28.1  0.1  0:00.42 │  ├─ /usr/bin/fort --tal /usr/share/fort/tal/ --local-repository /var/lib/fort/ --log.output syslog
10047 fort       20   0  365M  1804  1392 S  0.0  0.1  0:00.00 │  ├─ /usr/bin/fort --tal /usr/share/fort/tal/ --local-repository /var/lib/fort/ --log.output syslog
10046 fort       20   0  365M  1804  1392 S  0.0  0.1  0:00.00 │  ├─ /usr/bin/fort --tal /usr/share/fort/tal/ --local-repository /var/lib/fort/ --log.output syslog
10045 fort       20   0  365M  1804  1392 S  0.0  0.1  0:00.00 │  ├─ /usr/bin/fort --tal /usr/share/fort/tal/ --local-repository /var/lib/fort/ --log.output syslog
10044 fort       20   0  365M  1804  1392 S  0.0  0.1  0:00.00 │  └─ /usr/bin/fort --tal /usr/share/fort/tal/ --local-repository /var/lib/fort/ --log.output syslog

Here is the ebuild, in case you have comments: https://git.grifon.fr/alarig/SwordArMor-gentoo-overlay/src/branch/master/net-misc/FORT-validator/FORT-validator-1.1.3.ebuild I didn’t added the other sandbox options, as I don’t see how to do this simply.

I will drop the filecaps workaround when the “user-fork” will be released.

[pcarana]

Thanks @alarig for sharing the ebuild! We'll check it out.

I will drop the filecaps workaround when the “user-fork” will be released.

And we expect to include this improvement soon.