Re: [arch-general] [arch-dev-public] Snort UID / GID
Hugo Doria wrote:
I've updated the snort package. The package is now working well, but I have a question:
I am creating a snort user and group during the package installation. Should we reserve a UID / GID to it? I think this is important because snort should run with fewer privileges since it can monitor the network, integrate itself with iptables and so on.
-- Hugo
Why can't the users themselves create a snort uid/gid...
On Thu, Jul 17, 2008 at 10:27 AM, RedShift <redshift@pandora.be> wrote:
Why can't the users themselves create a snort uid/gid...
As the snort itself will run with the snort user/group is better create them during the installation. -- Hugo
Hugo Doria wrote:
On Thu, Jul 17, 2008 at 10:27 AM, RedShift <redshift@pandora.be> wrote:
Why can't the users themselves create a snort uid/gid...
As the snort itself will run with the snort user/group is better create them during the installation.
-- Hugo
Why is it better to create them during installation? Glenn
Thus this way snort can work out of the box with less privileges. Anyone who wants can put snort to run with another user. And, in any case, this email was just a question. -- Hugo
On Thu, Jul 17, 2008 at 10:40 AM, Hugo Doria <hugodoria@gmail.com> wrote:
Thus this way snort can work out of the box with less privileges. Anyone who wants can put snort to run with another user.
And, in any case, this email was just a question.
I don't see why people have such an issue with creating UIDs/GIDs out of the box. I don't have a problem with it, as long as we don't do it on every flippin package under the sun. Is it possible to use 'nobody' for snort, or is there a security risk there too?
The problem of using the user "nobody" is that if it is used for various services, and one of these is compromised it can also affect snort. IMHO, we have two options: 1) Create a "snort" user/group and provide a package with fewer privileges by default (users can change that if they want) 2) Run snort as "nobody" and put a message in snort.install showing how to change the user/group that snort runs. I think the first option is better. -- Hugo
"Hugo Doria" <hugodoria@gmail.com> writes:
IMHO, we have two options:
1) Create a "snort" user/group and provide a package with fewer privileges by default (users can change that if they want) 2) Run snort as "nobody" and put a message in snort.install showing how to change the user/group that snort runs.
I think the first option is better.
I agree. Personally, I try to create a new user (and sometimes a chroot) for every publicly facing service that can be run as non-root. I think it would be awesome if more packages did this for me. I don't see the downside to having lots of users, supposing the mapping is clear.
* Hugo Doria <hugodoria@gmail.com> wrote:
The problem of using the user "nobody" is that if it is used for various services, and one of these is compromised it can also affect snort.
IMHO, we have two options:
1) Create a "snort" user/group and provide a package with fewer privileges by default (users can change that if they want) 2) Run snort as "nobody" and put a message in snort.install showing how to change the user/group that snort runs.
I think the first option is better.
I vote also for the first option, but we need some place, were all uids/gids are listed. The wiki is the right place for doing that. Snowman started in may 2008 such a list, as you can see here: http://wiki.archlinux.org/index.php/DeveloperWiki:UID_/_GID_Database A second aproach I would prefer over the first option mentioned above is the following: In the PKGBUILD these two options in 3 variants: 1) user1/group1 are listed in a database of pacman: require_user('user1') require_group('group1') 2) user1 gets uid1, which is defined in the PKGBUILD file group1 is taken from database require_user('user1:uid1') require_group('group1') 3) user1/group2 become some random uid (ranges are set in pacman.conf) group2 will be set to gid2 require_user('user1:random') require_group('group1:random' 'group2:gid2') -- regards, TR
On Sun, Jul 20, 2008 at 5:02 AM, Tino Reichardt <list-arch@mcmilk.de> wrote:
I vote also for the first option, but we need some place, were all uids/gids are listed. The wiki is the right place for doing that.
Snowman started in may 2008 such a list, as you can see here: http://wiki.archlinux.org/index.php/DeveloperWiki:UID_/_GID_Database
I am not able to edit this page. Can someone reserve UID/GID 29 for snort? -- Hugo
Aaron Griffin wrote:
On Thu, Jul 17, 2008 at 10:40 AM, Hugo Doria <hugodoria@gmail.com> wrote:
Thus this way snort can work out of the box with less privileges. Anyone who wants can put snort to run with another user.
And, in any case, this email was just a question.
I don't see why people have such an issue with creating UIDs/GIDs out of the box. I don't have a problem with it, as long as we don't do it on every flippin package under the sun. Is it possible to use 'nobody' for snort, or is there a security risk there too?
Have I heard someone saying "sensible defaults" ? Armando
Aaron Griffin wrote:
On Thu, Jul 17, 2008 at 10:40 AM, Hugo Doria <hugodoria@gmail.com> wrote:
Thus this way snort can work out of the box with less privileges. Anyone who wants can put snort to run with another user.
And, in any case, this email was just a question.
I don't see why people have such an issue with creating UIDs/GIDs out of the box. I don't have a problem with it, as long as we don't do it on every flippin package under the sun. Is it possible to use 'nobody' for snort, or is there a security risk there too?
What if I want to run snort under for example "security_user". Now I have a cluttered passwd file due to the post-install script. And if I manually remove the snort user, the pre-remove will probably error out too. Glenn
On Friday 18 July 2008 10:46:17 RedShift wrote:
I don't see why people have such an issue with creating UIDs/GIDs out of the box. I don't have a problem with it, as long as we don't do it on every flippin package under the sun. Is it possible to use 'nobody' for snort, or is there a security risk there too?
What if I want to run snort under for example "security_user". Now I have a cluttered passwd file due to the post-install script. And if I manually remove the snort user, the pre-remove will probably error out too.
Glenn
What about just giving up this useless discussion with people who don't even agree on the base concept? - They like the out of the box experience. - They disrespect the upstream. - They disrespect their own policies. - They assume every user is a retard. - They don't maintain production servers. - This shit is continuing silently without notice anyway. I strongly believe that keeping the heat up here, just blocks arch from getting more "new" users and devs, which is what they obviously want, and at the same time doesn't really help us having working machines. I suggest doing what has to be done: fork. We need to unpatch packages localy anyway in order to make them work, so i suggest just uploading those packages to a common repo. -- mit freundlichen Grüßen / best regards Arvid Ephraim Picciani
On Fri, Jul 18, 2008 at 3:27 PM, Arvid Ephraim Picciani <aep@ibcsolutions.de> wrote:
On Friday 18 July 2008 10:46:17 RedShift wrote:
I don't see why people have such an issue with creating UIDs/GIDs out of the box. I don't have a problem with it, as long as we don't do it on every flippin package under the sun. Is it possible to use 'nobody' for snort, or is there a security risk there too?
What if I want to run snort under for example "security_user". Now I have a cluttered passwd file due to the post-install script. And if I manually remove the snort user, the pre-remove will probably error out too.
Glenn
What about just giving up this useless discussion with people who don't even agree on the base concept?
- They like the out of the box experience. - They disrespect the upstream. - They disrespect their own policies. - They assume every user is a retard. - They don't maintain production servers. - This shit is continuing silently without notice anyway.
I strongly believe that keeping the heat up here, just blocks arch from getting more "new" users and devs, which is what they obviously want, and at the same time doesn't really help us having working machines. I suggest doing what has to be done: fork. We need to unpatch packages localy anyway in order to make them work, so i suggest just uploading those packages to a common repo.
Woah... you need a tissue?
On Friday 18 July 2008 23:32:02 Aaron Griffin wrote:
On Fri, Jul 18, 2008 at 3:27 PM, Arvid Ephraim Picciani Woah... you need a tissue? huh? Actually i expected you to write something like "yeah, gtfo finally". I didn't mean to complain. In fact i suggested to stop complaining, since it's a waste of time for both sides.
-- mit freundlichen Grüßen / best regards Arvid Ephraim Picciani
participants (7)
-
Aaron Griffin
-
Armando M. Baratti
-
Arvid Ephraim Picciani
-
Hugo Doria
-
Luke S Crawford
-
RedShift
-
Tino Reichardt