Am Donnerstag, dem 28.10.2021 um 14:24 +0800 schrieb Jason L. Quinn: > Package: monopd > Version: 0.10.2-4 > Severity: grave > Tags: security > Justification: user security hole > X-Debbugs-Cc: jason.lee.quinn+deb...@gmail.com, Debian Security Team > <t...@security.debian.org> > > Dear Maintainer, > > Recently upgraded from Buster to Bullseye. I'm not perusing > "journalctl --boot" looking for errors and warnings and submitting > bug reports as I tend to do after a Debian upgrade. One of the curious > lines in my journal logs was > > /lib/systemd/system/monopd.service:8: Special user nobody configured, this is > not safe! > > This does indeed appear to be a valid systemd warning. See commit at > > https://github.com/systemd/systemd/commit/bed0b7dfc0070e920d00c89d9a4fd4db8d974cf0 > > Marked as grave as per bug descriptions in the reportbug tool (introduces a > security hole).
I don't think this constitutes a grave security issue alone just because the server starts with owner nobody permissions which has been the case for the past 18 years by the way. You need some kind of exploit and services/files of the same owner to manipulate which is unlikely given that possibly only two people in the world including myself run a monopoly server in a "production" environment. I agree that we can use systemd's DynamicUser feature in this case and tighten the permissions because it implies ProtectSystem=strict and PrivateTmp=yes. I need to figure out if we need more permissions but probably not. Regards, Markus
signature.asc
Description: This is a digitally signed message part
