I'm sorry that I have not yet returned to review the new version; this is written without having read the new changes.
On Mon, Feb 10, 2020 at 11:33:27AM -0000, Christian Ehrhardt wrote: > > > - the service should not run as root, use PrivateTmp and maybe a few > > > other systemd service isolations > > > > I've forwarded this recommendation, too: > > https://github.com/aws/aws-ec2-instance-connect-config/issues/14 > > > > Thanks for forwarding, but IMHO it needs to be resolved before promotion. > I'm sure security would prefer having that as well - @sarnold - opinions on > this detail? I'm less sure: I also have the instinct to run new services in new user ids but this authentication mechanism will allow (or forbid) logins root privileges. If it is compromised it can grant root privileges. If it is broken it can prevent legitimate users from gaining root privileges when needed. It's very nearly root-equivalent regardless of how it runs. Using a different user account increases the complexity, which this service already has in spades. However, a different user account may limit what resources are silently or invisibly used by the service, which may limit future complexity growth. > If "it will only be on EC2" would be a hard fact we can rely upon it would > not need the majority of pre-checks at all. I'm concerned about system images being shared amongst private and public clouds, or different public clouds, or between public clouds and local development. I know those checks are burdensome but I would rather have them than not. If this service runs elsewhere it may represent an instant remote code execution mechanism. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1835114 Title: [MIR] ec2-instance-connect To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1835114/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
