argument to change uid/gid

[cathugger]

different from #817 in that it can resolve user names, automatically use user's primary gid & allows specifying gid in the same argument, with : eg username:groupname.
feel free to criticize & suggest different argument name & description because i didn't put much of thought to that.

[Arceliar]

It may make sense to change to nobody:nobody by default, so things are a little less unsafe for people who just sudo yggdrasil -autoconf or similar. Thoughts @neilalexander?

[rany2]

@Arceliar I think it should be noted that nobody:nobody is not standard across Linux distros. For example, Debian and friends use nobody:nogroup instead. We should check which group is available first or maybe use something like Dynamic Users in systemd (use a random UID/GID that's currently not in use by the system).

[cathugger]

could just use nobody and maybe it would just resolve primary group on its own i think?
also would need to check UID being 0 before doing chuser by default (as this can be started as own user if right caps are given).
and opting out may be kinda uglier - manually specifying empty user string, though i can't really find many reasons of opting out, other than some possible exotic distributions/installations without proper user databases - which i guess i could imagine in some sterilized docker environments or routers but i don't really know how common, and probably checking existence of nobody user before deciding to default to chuser'ing to it would make sense - and we could just check database before setting default to nobody, likely writing function in chuser_unix.go for that (& stub returning empty string in chuser_other.go).
Requesting opinions for this mindfuzz of mine i guess

[cathugger]

I thought about this a bit more and probably programming in this kind of logic into daemon itself is too much of a magical behavior imo, and this should be provided in distributions' .service files instead.

[rany2]

well there isn't any need for this to be in any distro, Debian has a pretty hardened default that runs as yggdrasil user from the start. I think all you need to get it to work is CAP_NET_ADMIN, I think this is how Debian configured their OpenVPN services too

[cathugger]

I see. This packaging is indeed fairly good. This has gotten a bit offtopic, but it would be cool if one could specify default socket / config path at compile time (eg using go build -ldflags="-X defaults.defaultAdminListen=unix:///var/run/yggdrasil/yggdrasil.sock") so that linux distros wouldn't need patches there to achieve saner packaging.
Either way this repo's systemd files suck at running non-root, and so consequentially do vendor (not official debian's) debs and archlinux package.

[neilalexander]

On the whole, I'm very pro-having separate flags for UID and GID, because then it is clearer that we can do one without the other, and it is easier for packagers to do the right thing for their distribution/platform.

I'm not entirely sure whether we want to do that by default — we could certainly do some testing to see how it feels. The main thing I can think of that might break is setting up new multicast sockets when an interface disappears and reappears later but we've already dropped privileges, but maybe it'll be OK?

[neilalexander]

Actually isn't that what #817 is doing?

[cathugger]

#817 can take only numeric UID/GIDs, which is unwieldy.

because then it is clearer that we can do one without the other

why would you want do one but not another? everywhere i looked around, one either wants to set uid and also gid to primary group of uid, or uid/gid separate, which is also possible. with this implementation, one can also set gid without uid (eg -user ":groupname" or -user ":gid"), though it may be a little bit unobvious, but why would you want to not drop root?

if you think that instead of using -user uid:gid syntax we should do -uid user -gid group, i can change to that too, looks like a minimal change to me.

The main thing I can think of that might break is setting up new multicast sockets when an interface disappears and reappears later but we've already dropped privileges, but maybe it'll be OK?

that's sorta fundamentally incompatible with privilege dropping tbh. on linux, we could probably do some magic with caps and reserve the right to deal with interfaces, but on other unixes we can't. restarting daemon when new interfaces to be managed pop up could probably make sense, but i don't quite feel that's what yggdrasil should do on its own either.

[cathugger]

unless multicast actually works without requiring root (i somehow confused it with managing interfaces, and using multicast aint that)

[cathugger]

I looked around a bit, and git daemon implements this in a bit cleaner way, maybe, command line arguments wise:

   --user=<user>, --group=<group>
       Change daemon's uid and gid before entering the service loop. When
       only --user is given without --group, the primary group ID for the
       user is used. The values of the option are given to getpwnam(3) and
       getgrnam(3) and numeric IDs are not supported.

       Giving these options is an error when used with --inetd; use the
       facility of inet daemon to achieve the same before spawning git
       daemon if needed.

       Like many programs that switch user id, the daemon does not reset
       environment variables such as $HOME when it runs git programs, e.g.
       upload-pack and receive-pack. When using this option, you may also
       want to set and export HOME to point at the home directory of
       <user> before starting the daemon, and make sure any Git
       configuration files in that directory are readable by <user>.

Though nsd for example uses different syntax, using -u and taking in username, id, or id.gid, which is more similar to what I've implemented here.
I think that current implementation is kinda fine, but maybe documentation could be improved, but I can't really think of anything good atm.

[cathugger]

rebased.

does this need any further work?
should I change argument format / documentation? current stuff is kinda unclear a bit imo but does anyone else find that to be an issue?
splitting to two arguments could make argument documentation easier too probably.
i think multicast stuff should work fine with this unless multicast port is picked to be <=1024.

[neilalexander]

I haven't forgotten about this — I'd like to get this merged in some shape or other, but let's wait until the v0.5 branch is a bit cleaner before rebasing there.

[neilalexander]

If you're happy to rebase one last time on top of develop, let's get this merged for v0.5.

[cathugger]

@neilalexander done.
was away from this account while recovering from btrfs corruption.

[klemensn]

Why not just strings.Split(user, ':')?

[cathugger]

IndexByte is probably speediest as Split allocates slice and uses string for splitting.
Cut would probably be more fitting here API niceness wise, but I'm not sure if really worth changing at this point.

[klemensn]

IndexByte is probably speediest as Split allocates slice and uses string for splitting.

This code runs once, it is not a hot path.

Cut would probably be more fitting here API niceness wise, but I'm not sure if really worth changing at this point.

Sure, either way looks cleaner than manual indexing.

[klemensn]

Why parse it yourself? You can try a name lookup, fallback to UID on error and return if that fails, too, just like getpwnam(3) behaves:

if u, err = osuser.Lookup(user); err != nil {
    if u, err = osuser.LookupId(user); if err != nil {
        return err
    }
}

[cathugger]

this PR introduced as replacement for one that only used numeric IDs so I preserved ability to do chown/chgrp without passwords database file being present in system.
LookupId depends on /etc/passwd being present which is technically not a necessity.

[cathugger]

nvm we do LookupId after this anyway so it's a moot point.

[cathugger]

parsing before potentially IO hitting pw database lookup is probably what i thought back when i wrote this.

[klemensn]

this PR introduced as replacement for one that only used numeric IDs so I preserved ability to do chown/chgrp without passwords database file being present in system.

Do these systems exist? Are they relevant?

LookupId depends on /etc/passwd being present which is technically not a necessity.

The next line uses that function, so this did not go as planned.

So you might as well clean it up, imho.

[cathugger]

as I've mentioned in following comments, yes, this needs pw database anyways, but i prefer minimizing potentially latency introducing tasks (like opening/closing passwd file) even if they're done at init time, so it's guarded by fast parseuint check. it's a matter of taste, eliminating that goes into category of nitpicking IMO.

[klemensn]

Questionable for this API to return the ID for a known-to-exist group as string...

[klemensn]

os/user returns ID strings that were "validated" with strconv.Atoi() which returns int, so this should always be true.

[cathugger]

had to dig deep to confirm this but indeed.
also could probably be <=.
feel free to make a PR if you care for this as this looks like something code being saner internally not something that'll lead to bugs.

[klemensn]

feel free to make a PR if you care for this as this looks like something code being saner internally not something that'll lead to bugs.

Either that or a clean(er) chuser_bsd.go implementation, should I ever start using this option.

Point being: Complexity hides bugs, so code ought to be as simple as possible.

To my eye, multiple Lookup*() and Parse*() are not as trivial to reason about as it could be.

[cathugger]

without digging deep into the source of osuser.LookupId one can't even know whether these ints were checked so I'm not sure complexity argument is even applicable here, it's more complex to verify whether the code is correct if there is no check.
my gut instinct when API doesn't tell stuff like returned ranges of ints to just check myself, because checking more usually catches more bugs than not checking stuff like returns.
IMO if check is eliminated, then strconv.Atoi() check behavior should be documented in comment, as otherwise it won't end up more simple.

[cathugger]

also uint32 vs int is potentially hell on its own due to int being 64bit on 64bit systems and strconv.Atoi() ending up verifying different on 32bit vs 64bit systems but honestly systems just don't use ints as large as these for UIDs/GIDs anyways so i can't really care abt this.

[cathugger]

87fa0a8 apparently was someone's else's change too but I can't argue one way or another abt it.

[cathugger]

to satisfy faulty Code scanning / CodeQL warnings out of all the things

[klemensn]

to satisfy faulty Code scanning / CodeQL warnings out of all the things

This looks related over at #1202:

[klemensn]

feel free to make a PR if you care for this as this looks like something code being saner internally not something that'll lead to bugs.

• -user '' silently ignored and the process continues without error or change in privilege.
• -user ':' as well.
• -user :group changes just the group and not the user, contrary to what the usage says:

  -user string
    	user (and, optionally, group) to set UID/GID to

I did fix these now in #1203.

[klemensn]

The main goroutine changing user/group to drop privileges is racing against others creating a tun(4) interface, raw socket for routing and UNIX socket as control interface, i.e. startup can fail now as yggdrasil may drop to an unprivileged user before having completed all privileged tasks.

# yggdrasil -autoconf -user nobody
2024/11/02 20:24:32 Build name: yggdrasil-go
2024/11/02 20:24:32 Build version: 0.5.9
2024/11/02 20:24:32 Your public key is 82ff9b15b30dc6e460f907cb3aecbe664c024c101efa773b3ecdccf1cb72d818
2024/11/02 20:24:32 Your IPv6 address is 200:fa00:c9d4:99e4:7237:3e0d:f069:8a26
2024/11/02 20:24:32 Your IPv6 subnet is 300:fa00:c9d4:99e4::/64
2024/11/02 20:24:32 Interface name: tun0
2024/11/02 20:24:32 Interface IPv6: 200:fa00:c9d4:99e4:7237:3e0d:f069:8a26/7
2024/11/02 20:24:32 Interface MTU: 16384
2024/11/02 20:24:32 Admin socket failed to listen: listen unix /var/run/yggdrasil.sock: bind: permission denied

Rerun this a few times; sometimes the control socket gets created as root, sometimes it fails to create it as nobody:

$  ls -ld /var/run/
drwxr-xr-x  7 root  wheel  512 Nov  2 20:31 /var/run

[klemensn]

This code fails to unset supplementary groups, i.e. the process retains whatever access it had even after dropping to a different user and group:

# id                                                   
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
# ./yggdrasil -autoconf -logto /dev/null -user nobody &
[1] 4337
# ps -o command,user,group,supgrp -U nobody
COMMAND          USER     GROUP    SUPGRP
./yggdrasil -aut nobody   nobody   wheel,kmem,sys,tty,operator,staff,guest                         

Thus the process still has permissions to open, e.g. a 660 root:wheel file, which is bad.