Comments (4)
Thanks man , I havn't test it againts an non root user but I think at least users should have ability to run commands as root ( sudo) to the services and install required packages
also the current user should be replace with root
in moneyd, codius services
https://github.com/xrp-community/codius-install/blob/master/codius-install.sh#L437
https://github.com/xrp-community/codius-install/blob/master/codius-install.sh#L481
from codius-install.
We should definitely use whatever requires the least privileges, but it's worth noting that codiusd needs access to add network devices and I believe hyperd also needs root access for certain tasks. The safest thing is to have a machine completely dedicated to codius so that if someone breaks into the machine they wouldn't disrupt anything except the codius host
from codius-install.
I'm thinking it makes sense to create a user for the service.
Also, I'm not dictating here. I'm just throwing out what I think could be useful. Anyone is free to shoot this full of holes.
I believe the same way nginx often runs as nginx or apache runs as apache. The services could run like this.
This is a bit verbose but to be very specific I'll lay it out like this:
hyperd should run as hyperd with a group called codius.
nginx should run as nginx (or www) with a group called codius.
codiusd should runs as codiusd with a group called codius.
moneyd-xrp should run as moneyd with a group called codius.
All of these users should be unprivileged (no sudoer/root privs - maybe even chrooted with systemd-nspawn or something) anything that needs to interoperate between the services could use the group access (currently I think they only communicate through listening ports so I doubt this will be needed).
from codius-install.
@sharafian - I think the primary issue was related to the individual services all being run as root.
I am imagining it will just take some iterating and policy configurations to lock these down.
@N3TC4T - I'm willing to help out with this effort when I've gotten my own Codius project nailed down. (I think, in a few weeks I could contribute some time to this).
from codius-install.
Related Issues (20)
- "bash: moneyd: command not found" HOT 5
- Codius not running as expected HOT 3
- wget command not found HOT 1
- [ERROR] : Moneyd Cannot config your account with entered secret , please check your secret and try again .
- Moneyd -advanced HOT 1
- certbot error and codiusd not running HOT 8
- Some remarks HOT 2
- Needs a new hyper-bootstrap script HOT 3
- Lost funds? HOT 4
- Cleanup codius from this server gives errors. HOT 2
- Script misses firewall & setsebool HOT 3
- Checking required running services - codiusd comes back with red "x" but systemctl status is green HOT 2
- 502 Bad Gateway HOT 2
- Error in codius.conf prevents passing Self Test HOT 1
- Ubuntu 18.04 LTS support HOT 1
- Replace "moneyd xrp: configure" to "moneyd xrp: configure --advanced" ? HOT 3
- add regular-key support ? HOT 1
- Feature Request: 7th option, update Codiusd, Moneyd, and hyperd HOT 2
- Script stops without error message when XRP secret is not correct. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from codius-install.