Hi all!
Let me say first that I'm not entirely sure whether I should write this directly to the Debian guys, however, I'd like to discuss some stuff first with you guys to clear up some questions. I hope that Faidon (who maintains the Debian package) is reading this and can help to shed some light on this. :)
We usually build radsecproxy on Ubuntu 16.04.3 LTS from the sources from Debian:
https://packages.debian.org/de/source/sid/radsecproxy
This used to work well with 1.6.8 and (apart from one problematic dependency on debhelper >=10) it should work with 1.6.9 as well. I have a number of suggestions regarding the Debian build:
- Currently, the resulting radsecproxy will run as root. I think it would be nicer to have the daemon run as some unprivileged user (e.g. "radsecproxy").
- In the current Ubuntu release (could very likely be the same with the current Debian release), there's a rather stupid bug in systemd where you can write an arbitrary number (e.g. "1") into radsecproxy's PID file and as soon as the service radsecproxy is stopped, the process that you put into the PID file is killed (which is not so nice if it's "1"). Now, while it's unclear how easily exploitable this is, it's still easy to cure.
I would like to discuss the following patches to the Debian build tree with you. I don't have any experiences with Debian package design so please be patient if it has mistakes. :)
Patch #1:
--------8<--------8<--------8<--------8<--------8<--------
--- radsecproxy-1.6.9.old/debian/service 2017-08-04 21:12:38.000000000 +0200
+++ radsecproxy-1.6.9/debian/service 2017-08-18 07:56:46.080064099 +0200
@@ -6,12 +6,13 @@
[Service]
Type=forking
-ExecStart=/usr/sbin/radsecproxy -i /run/radsecproxy.pid
-PIDFile=/run/radsecproxy.pid
+ExecStart=/usr/sbin/radsecproxy
+User=radsecproxy
ProtectSystem=full
PrivateDevices=true
PrivateTmp=true
ProtectHome=true
+CapabilityBoundingSet=~CAP_SYS_PTRACE
[Install]
WantedBy=multi-user.target
--------8<--------8<--------8<--------8<--------8<--------
Explanation: systemd doesn't need the PID file to know about the PID that radsecproxy runs with. So you can remove the creation of a PID file entirely as well as the PIDFile= reference to it, working around the security risk above. Furthermore, the patch makes systemd run radsecproxy as user "radsecproxy". For this to be possible, we need...
Patch #2:
Add radsecproxy-1.6.9/debian/postinst
--------8<--------8<--------8<--------8<--------8<--------
adduser --system radsecproxy
--------8<--------8<--------8<--------8<--------8<--------
Could you guys have a look at the above suggestions for patches and let me know what you think? Please note that this only addresses the systemd service file, I didn't patch the init file (which would certainly also make sense at least to let radsecproxy run as an unprivileged user).
Note to Faidon: I like the changes that you made to harden the radsecproxy installation when using systemd. Thanks for the good work! I have a question though: how important is the dependency "debhelper >=10"? I'm asking because the latest debhelper on Ubuntu 16.04.3 LTS is 9.x. If possible, can I change the debhelper dependency to ">=9" again? This would certainly help building the package on Ubuntu 16.04.3 LTS. Thanks!
Cheers,
Christian
--
Dipl.-Math. Christian Strauf
Clausthal Univ. of Technology E-Mail: strauf(a)rz.tu-clausthal.de
Rechenzentrum Web: www.rz.tu-clausthal.de
Erzstraße 18 Tel.: +49-5323-72-2086 Fax: -992086
D-38678 Clausthal-Zellerfeld
Hi,
I'm pleased to announce that radsecproxy-1.6.9 now exists.
This bugfix release fixes a crash bug showing on busy servers with
multiple cores (RADSECPROXY-77) and a number of other bugs. From the
ChangeLog file:
--8<---------------cut here---------------start------------->8---
Misc:
- Use a listen(2) backlog of 128 (RADSECPROXY-72).
Bug fixes:
- Don't follow NULL the pointer at debug level 5 (RADSECPROXY-68).
- Completely reload CAs and CRLs with cacheExpiry (RADSECPROXY-50).
- Tie Access-Request log lines to response log lines (RADSECPROXY-60).
- Fix a couple of memory leaks and NULL ptr derefs in error cases.
- Take lock on realm refcount before updating it (RADSECPROXY-77).
--8<---------------cut here---------------end--------------->8---
Pick it up at
https://software.nordu.net/radsecproxy/radsecproxy-1.6.9.tar.xzhttps://software.nordu.net/radsecproxy/radsecproxy-1.6.9.tar.xz.asc
Hi,
I'm planning on releasing what's in branch maint-1.6 as
radsecproxy-1.6.9 within a couple of hours. If you're interested in
finding stupid things in it before it becomes an official release,
please try it out now!
git clone -b maint-1.6 https://git.nordu.net/radsecproxy.git
cd radsecproxy && ./configure && make clean check
Thanks!
