Could a lower privilege user be used by the systemd service?

[seb128]

The MIR review [1] had that suggestion

Try further locking down the systemd service (root daemon), e.g. by running it under its own (dynamic) user/group: https://0pointer.net/blog/dynamic-users-with-systemd.html

Unsure if that would be possible, in practice attaching a token probably requires admin privileges but maybe we could ask for credential and pkexec only the ua attach call or something? It's not a high priority request and wasn't a pre-requirement for promotion but let's at list have a ticket as a reminder to investigate how doable that would be.

[1] https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-desktop-daemon/+bug/1954909

[robert-ancell]

The ua tool requires us to be root (i.e. checks that it is being called by uid=0).:

def assert_root(f):
    """Decorator asserting root user"""

    @wraps(f)
    def new_f(*args, **kwargs):
        if os.getuid() != 0:
            raise exceptions.NonRootUserError()
        else:
            return f(*args, **kwargs)

    return new_f

I think the solution to this would be to make a group that is allowed to access the ua tool, and then make u-a-d-d a non-privileged user in that group.

I don't think there's any value in using pkexec as that's essentially what u-a-d-d is doing already - it's not really doing any more processing other than just proxying the calls.

[robert-ancell]

Hmm, now I think about it though ua might well require root privileges to write files etc. So we have to be root when we call it.

Therefore the solution might be:

1. Run u-a-d-d with root privileges.
2. Fork of a child process for calling ua.
3. Drop privileges and launch D-Bus service.
4. Call ua via the root subprocess.