Open panlinux opened 1 month ago
Thanks! This is a great idea. We should probably migrate many services and files that we create to be owned by a pro
system user. This is potentially large in scope so marking "future". It is also potentially controversial to SRU this change (and therefore create a new user on every Ubuntu machine out there).
Agreed on this being potentially large. About creating a new system user everywhere, I don't see it as controversial. Lots of packages do it.
Please describe the scenario where the new feature would be useful
While creating an apparmor profile and adding systemd isolation features to the apt-news service, I realized that it runs as root unnecessarily, as it just downloads a json file and stores it locally.
Describe the solution you'd like The next logical step in securing the service should be to run it as a non-privileged user.
Current behavior
The service runs as a privileged user without actually requiring those privileges.
Additional context As this is a simple service, it's also a good starting point for extra hardening of the Pro client. This might need a spec, though: