Privileges / Sudo

[defuse]

As noted in #26, the ooni-backend daemon drops its privileges to the mlab_ooni user. However, mlab_ooni has full root privileges via sudo:

mlab_ooni   ALL=(ALL)   ALL

What is the point of dropping privileges, if an attacker who successfully gains access to the mlab_ooni account immediately has root access?

This ticket can be closed when:

• Someone decides that it's ok for an attacker to be able to escalate to root. Or,
• mlab_ooni is not given full sudo privileges (in this case re-evaluate the security issues in #26). Or,
• ooni-probe is made to drop privileges to a different user, one without sudo privileges.

[defuse]

There is still a benefit to dropping privileges, even though arbitrary code as mlab_ooni implies arbitrary code as root. The process itself has restricted privileges. For example, if there is some vulnerability in ooni-backend that lets the attacker overwrite an arbitrary file, then the attacker can only use that to overwrite files that mlab_ooni can overwrite, unless they also can get the process to re-gain its privileges or run a sudo command.