Bug#934186: shadowsocks-libev: Do not run daemons as nobody

Wed, 07 Aug 2019 13:18:40 -0700 

Package: shadowsocks-libev
Version: 3.3.0+ds-1
Severity: important

Please do not run daemons as nobody - nobody is a special user
for NFS to map unknown user ids to. It's also not exclusive to
your service, so other services might be using it.

I'd suggest you useO

[Service]
DynamicUser=true

in the systemd services to fix this, so that systemd takes care of
the user management dynamically (this will create users dynamically
while the service is running using the service name (before @) as
the user name).

I might be opening two more bugs soon I guess, they are not ready
yet:

1) please add apparmor profiles

   I currently have

        # cat /etc/apparmor.d/usr.bin.ss-server
        #include <tunables/global>

        /usr/bin/ss-server {
          #include <abstractions/base>
          #include <abstractions/nameservice>
        
          /etc/shadowsocks-libev/*.json r,
          /lib/x86_64-linux-gnu/ld-*.so mr,
          /usr/bin/ss-server mr,
        }

   but this needs a bit more work to be shipped by default IMO.

2) please use systemd service restrictions (capability limiting,
   namespacing, r/o system directories, etc.; systemd-resolved's
   service is a good example). Have not tried that yet.


-- System Information:
Debian Release: buster/sid
  APT prefers eoan
  APT policy: (991, 'eoan'), (500, 'eoan'), (500, 'cosmic-security')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.2.0-9-generic (SMP w/8 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages shadowsocks-libev depends on:
ii  libbloom1       1.5-5
ii  libc-ares2      1.15.0-1
ii  libc6           2.29-0ubuntu3
ii  libcap2-bin     1:2.25-2
ii  libcork16       0.15.0+ds-12
ii  libcorkipset1   1.1.1+20150311-8
ii  libev4          1:4.27-1
ii  libmbedcrypto3  2.16.2-1
ii  libpcre3        2:8.39-12
ii  libsodium23     1.0.17-1
ii  lsb-base        10.2019051400ubuntu1

shadowsocks-libev recommends no packages.

Versions of packages shadowsocks-libev suggests:
pn  haveged      <none>
pn  kcptun       <none>
pn  simple-obfs  <none>

-- no debconf information

-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en

Reply via email to