Opened 11 years ago

Last modified 6 years ago

#415 assigned Bug/Something is broken

limit scope of privilege within red

Reported by: Daniel Kahn Gillmor Owned by: Jamie McClelland
Priority: Low Component: Tech
Keywords: red Cc:
Sensitive: no


in #407, jamie wrote:

The red server, though, runs as root (that's how it creates new users, etc) so it will always be able to read keys.

It might be worthwhile at some point to separate out the privileges needed by the red server, and make them specific subcommands that only the red user can run. Those subcommands can then be made to run as the superuser, but the generalized network process itself could be given lower privileges.

djb's Some thoughts on security after 10 years of qmail paper is worth reading to start thinking in more detail about this type of privilege isolation.

Change History (2)

comment:1 Changed 6 years ago by Ross

Status: newassigned

comment:2 Changed 6 years ago by Jamie McClelland

Priority: MediumLow

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.