Investigate exozyme API security issues #147

Closed
opened 1 month ago by Ta180m · 5 comments
Ta180m commented 1 month ago
Owner

Currently, we run the API as root which isn't the best for security. We do this because the adduser script needs root permissions to configure users. However, we should ideally run the API primarily under a different user and maybe use some custom sudoer configs to give that user permission to run a few certain commands.

Currently, we run the [API](https://git.exozy.me/exozyme/scripts/src/branch/main/api.py) as root which isn't the best for security. We do this because the `adduser` script needs root permissions to configure users. However, we should ideally run the API primarily under a different user and maybe use some custom `sudoer` configs to give that user permission to run a few certain commands.
Ta180m added the
security
bug
enhancement
labels 1 month ago
Ta180m added this to the Issues project 1 month ago
Poster
Owner

I think the safest option would be to use a setuid program called configure-user for configuring users in adduser. The API would be run under a seperate user.

I think the safest option would be to use a setuid program called `configure-user` for configuring users in `adduser`. The API would be run under a seperate user.
Ta180m added this to the v9.0 milestone 1 month ago
Poster
Owner

Also, there's the question of whether we should package the API for Arch or for Nix since we might be switching to NixOS in the future.

Also, there's the question of whether we should package the API for Arch or for Nix since we might be switching to NixOS in the future.
Poster
Owner

I think the safest option would be to use a setuid program called configure-user for configuring users in adduser. The API would be run under a seperate user.

If anyone wants to help, I'd like to have someone review the security of the proposal above. It might still have some security holes.

> I think the safest option would be to use a setuid program called `configure-user` for configuring users in `adduser`. The API would be run under a seperate user. If anyone wants to help, I'd like to have someone review the security of the proposal above. It might still have some security holes.
Poster
Owner

The problem is that we don't want the exoapi user that's running the API to have access to the LDAP password since if they're compromised, they can access password hashes and manipulate the DB and other fun stuff.

The problem is that we don't want the `exoapi` user that's running the API to have access to the LDAP password since if they're compromised, they can access password hashes and manipulate the DB and other fun stuff.
Ta180m added a new dependency 2 weeks ago
Ta180m started working 3 days ago
Ta180m stopped working 3 days ago
2 hours 38 minutes
Ta180m added the
wontfix
label 3 days ago
Poster
Owner

The API was discontinued in #162.

The API was discontinued in #162.
Ta180m closed this issue 3 days ago
Sign in to join this conversation.
No Milestone
No project
No Assignees
1 Participants
Notifications
Total Time Spent: 2 hours 38 minutes
Anthony Wang
2 hours 38 minutes
Due Date

No due date set.

Reference: exozyme/exozyme#147
Loading…
There is no content yet.