Investigate exozyme API security issues #147

Closed
opened 2022-05-24 17:41:12 +00:00 by a · 5 comments
Owner

Currently, we run the API as root which isn't the best for security. We do this because the adduser script needs root permissions to configure users. However, we should ideally run the API primarily under a different user and maybe use some custom sudoer configs to give that user permission to run a few certain commands.

Currently, we run the [API](https://git.exozy.me/exozyme/scripts/src/branch/main/api.py) as root which isn't the best for security. We do this because the `adduser` script needs root permissions to configure users. However, we should ideally run the API primarily under a different user and maybe use some custom `sudoer` configs to give that user permission to run a few certain commands.
a added the
security
bug
enhancement
labels 2022-05-24 17:41:12 +00:00
a added this to the (deleted) project 2022-05-24 17:41:12 +00:00
Author
Owner

I think the safest option would be to use a setuid program called configure-user for configuring users in adduser. The API would be run under a seperate user.

I think the safest option would be to use a setuid program called `configure-user` for configuring users in `adduser`. The API would be run under a seperate user.
a added this to the v9.0 milestone 2022-05-24 19:42:16 +00:00
a added a new dependency 2022-05-27 19:40:46 +00:00
Author
Owner

Also, there's the question of whether we should package the API for Arch or for Nix since we might be switching to NixOS in the future.

Also, there's the question of whether we should package the API for Arch or for Nix since we might be switching to NixOS in the future.
Author
Owner

I think the safest option would be to use a setuid program called configure-user for configuring users in adduser. The API would be run under a seperate user.

If anyone wants to help, I'd like to have someone review the security of the proposal above. It might still have some security holes.

> I think the safest option would be to use a setuid program called `configure-user` for configuring users in `adduser`. The API would be run under a seperate user. If anyone wants to help, I'd like to have someone review the security of the proposal above. It might still have some security holes.
Author
Owner

The problem is that we don't want the exoapi user that's running the API to have access to the LDAP password since if they're compromised, they can access password hashes and manipulate the DB and other fun stuff.

The problem is that we don't want the `exoapi` user that's running the API to have access to the LDAP password since if they're compromised, they can access password hashes and manipulate the DB and other fun stuff.
a added a new dependency 2022-06-15 16:35:50 +00:00
a started working 2022-06-25 20:44:26 +00:00
a stopped working 2022-06-25 23:22:32 +00:00
2 hours 38 minutes
a added the
wontfix
label 2022-06-25 23:37:36 +00:00
Author
Owner

The API was discontinued in #162.

The API was discontinued in #162.
a closed this issue 2022-06-25 23:37:48 +00:00
Sign in to join this conversation.
No Milestone
No project
No Assignees
1 Participants
Notifications
Total Time Spent: 2 hours 38 minutes
a
2 hours 38 minutes
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Blocks
Reference: exozyme/exozyme#147
No description provided.