GNOME Bugzilla – Bug 730037
drop privileges for HTTP fetches
Last modified: 2018-08-17 19:00:22 UTC
Doing HTTP as root brings lots of code like libsoup into the TCB. We should at least do something like do the HTTP requests as "nobody" or so, with a pipe out to the privileged process.
Changing uid is pretty annoying though; we'd have to allocate a new one. Another approach is to do a combination of: 1) Drop all capabilities 2) seccomp filters 3) SELinux policy
Is there a reason you can't simply download in a separate process? Root process forks off something to find the latest tree on the server, which sends it back to the root process, and then the root process forks off another process to download the tree. $ ostree-get-latest-tree http://my.server/repo/ de9f2c7fd25e1b3afad3e85a0bd17d9b100db4b3 $ ostree-fetch-tree-from-remote http://my.server/repo/de9f2c7fd25e1b3afad3e85a0bd17d9b100db4b3 ...
Any privilege dropping would require forking, yes - the question is what constraints are applied and how the communication works.
I don't think there needs to be any communication other than one hash -- the hash of the tree that needs to be downloaded, and that can simply be done by writing to stdout and having the root process read it. Progress information can be shown to the user by simply leaking the stdout FD through to ostree-fetch-tree-from-remote. Are there any other constraints I'm unaware of?
OSTree has moved to Github a while ago. Furthermore, GNOME Bugzilla will be shut down and replaced by gitlab.gnome.org. If the problem reported in this Bugzilla ticket is still valid, please report it to https://github.com/ostreedev/ostree/issues instead. Thank you! Closing this report as WONTFIX as part of Bugzilla Housekeeping.