search

Netgear / wsdd2

WSD/LLMNR Discovery/Name Service Daemon
GNU General Public License v3.0
154 stars 33 forks source link

Improve security of running service #6

Closed tripplet closed 4 years ago

tripplet commented 4 years ago

Avoids running the service as root and restricts the access rights

Andy2244 commented 4 years ago

thanks for the update.

tripplet commented 4 years ago

No problem, thanks for creating and maintaining this repo.

tmm1 commented 3 years ago

Does this still allow for popen(testparm) to be run?

https://github.com/Andy2244/wsdd2/blob/master/wsd.c#L131

Andy2244 commented 3 years ago

Hi, not sure what you mean. If the cmd string can be created it runs popen(testparm ...), so yes?

PS: get_smbparm() itself is only run if the wsdd2 service does not directly get the -W -N parameter.

On Tue, Oct 20, 2020 at 6:46 AM Aman Gupta Karmani notifications@github.com wrote:

Does this still allow for popen(testparm) to be run?

https://github.com/Andy2244/wsdd2/blob/master/wsd.c#L131

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/Andy2244/wsdd2/pull/6#issuecomment-712585429, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABIXYVZXLVNKTE4J7MXTAYLSLUIZPANCNFSM4MQ3V5QQ .

tmm1 commented 3 years ago

It is not working for me it seems. I'm not using -N. The server responds to the hostname but not the netbios name I have setup in my smb.conf. I'm guessing all these security options are making it so the daemon cannot run testparm or read smb.conf

tmm1 commented 3 years ago

I also noticed that when I run under systemd there are several errors, and lsof shows no TCP listeners. But when I run directly no such errors are present:

Oct 20 15:58:46 server systemd[1]: Started WSD/LLMNR Discovery/Name Service Daemon.
Oct 20 15:58:46 server wsdd2[8079]: starting.
Oct 20 15:58:47 server wsdd2[8079]: error: wsdd-http-v4: open_ep: SO_BINDTODEVICE
Oct 20 15:58:47 server wsdd2[8079]: error: wsdd-http-v6: open_ep: SO_BINDTODEVICE
Oct 20 15:58:47 server wsdd2[8079]: error: llmnr-tcp-v4: open_ep: SO_BINDTODEVICE
Oct 20 15:58:47 server wsdd2[8079]: error: llmnr-tcp-v6: open_ep: SO_BINDTODEVICE
wsdd2   8079    61623    0r      CHR                1,3      0t0  5419 /dev/null
wsdd2   8079    61623    1u     unix 0x00000000e6bda8d4      0t0 34819 type=STREAM
wsdd2   8079    61623    2u     unix 0x00000000e6bda8d4      0t0 34819 type=STREAM
wsdd2   8079    61623    3u     unix 0x00000000c8634e56      0t0 34846 type=DGRAM
wsdd2   8079    61623    4u     IPv4              34850      0t0   UDP *:3702
wsdd2   8079    61623    5u     IPv6              34855      0t0   UDP *:3702
wsdd2   8079    61623    6u     IPv4              34858      0t0   UDP *:5355
wsdd2   8079    61623    7u     IPv6              34860      0t0   UDP *:5355
wsdd2   8079    61623    8u  netlink                         0t0 34863 ROUTE

vs

wsdd2   8095 root    0u      CHR              136,0      0t0     3 /dev/pts/0
wsdd2   8095 root    1u      CHR              136,0      0t0     3 /dev/pts/0
wsdd2   8095 root    2u      CHR              136,0      0t0     3 /dev/pts/0
wsdd2   8095 root    3u     unix 0x00000000a67d51aa      0t0 31718 type=DGRAM
wsdd2   8095 root    4u     IPv4              31722      0t0   UDP *:3702
wsdd2   8095 root    5u     IPv6              31727      0t0   UDP *:3702
wsdd2   8095 root    6u     IPv4              31728      0t0   TCP *:3702 (LISTEN)
wsdd2   8095 root    7u     IPv6              31729      0t0   TCP *:3702 (LISTEN)
wsdd2   8095 root    8u     IPv4              31730      0t0   UDP *:5355
wsdd2   8095 root    9u     IPv6              31732      0t0   UDP *:5355
wsdd2   8095 root   10u     IPv4              31733      0t0   TCP *:5355 (LISTEN)
wsdd2   8095 root   11u     IPv6              31734      0t0   TCP *:5355 (LISTEN)
wsdd2   8095 root   12u  netlink                         0t0 31735 ROUTE

So I'm pretty sure these systemd options do not allow the daemon to function properly.

tmm1 commented 3 years ago

If I revert this PR, there are no more errors in the systemd log and lsof looks correct.

Oct 20 16:04:07 server systemd[1]: Started WSD/LLMNR Discovery/Name Service Daemon.
Oct 20 16:04:07 server wsdd2[8147]: starting.

I'll try to remove the lines one by one to figure out which one causes problems.

tmm1 commented 3 years ago

Removing DynamicUser=true fixed the issues I was seeing.

I'm using systemd v244

# systemctl --version
systemd 244 (244)
+PAM -AUDIT -SELINUX -IMA -APPARMOR -SMACK +SYSVINIT +UTMP -LIBCRYPTSETUP +GCRYPT +GNUTLS -ACL -XZ -LZ4 -SECCOMP +BLKID -ELFUTILS +KMOD -IDN2 -IDN -PCRE2 default-hierarchy=hybrid

I checked and nss-systemd is enabled.

tmm1 commented 3 years ago

It also works with ProtectSystem=full, so might be worth adding that and removing DynamicUser

tmm1 commented 3 years ago

Appears the SO_BINDTODEVICE errors might have to do with the kernel version:

https://patchwork.ozlabs.org/project/netdev/patch/20200331132009.1306283-1-vincent@bernat.ch/

Would be useful if wsdd2.c printed out the error, which would have shown up as EPERM and made this easier to understand.

tmm1 commented 3 years ago

Okay, so since I figured out CAP_NET_RAW was the issue, I was able to make it work as so:

DynamicUser=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_RAW

I will send a PR.