[HECnet] PyDECnet File Transfer Support?
Paul Koning
paulkoning at comcast.net
Wed Dec 22 14:00:07 PST 2021
> On Dec 22, 2021, at 4:45 PM, Mark J. Blair <nf6x at nf6x.net> wrote:
>
>
>
>> On Dec 22, 2021, at 1:40 PM, Robert Armstrong <bob at jfcl.com> wrote:
>>
>> Please give us (pyDECnet users) a way to disable it - pyDECnet runs as
>> root and I'm not really comfortable having it become a program that can
>> remotely read or write files on my system.
>
> Agreed! It seems like something that should be an optionally-enabled feature, and something that can't serve anything outside of a specified directory tree (security bugs notwithstanding). Write-only and read-only directories would be helpful, though that may come for free just by using host filesystem permissions.
>
> Hmm, I do have pyDECnet running as root here at home. I'll look into changing that. ISTR that I set it up to run under a non-root account at work, but it'll be 2022 before I can easily verify that.
You have to run it as root is if it needs privs for some network service it uses. For example, GRE may require that since it's a raw-packet mode. UDP or TCP probably do not. Direct Ethernet access may or may not, it depends on the OS. (It doesn't on my Mac, for example.)
But apart from cases like that, you can definitely run it as not-root. In fact, you can tell it to change UID and/or GID at startup, and also do chroot if you like. I do that for the mapper, not because it really seems to be necessary but because I wanted to have a test case for that feature:
ExecStart=/usr/local/bin/pydecnet /etc/sysconfig/decnet/28nh.conf /etc/sysconfig/decnet/http-28nh.conf --log-config /home/decnet/dev-logging-map.yaml --pid-file /db/pydecnet.pid --chroot /home/decnet --uid nobody --daemon
paul
More information about the Hecnet-list
mailing list