Several questions/suggestions regarding Debian build - radsecproxy

18 Aug 2017

Hi all!
Let me say first that I'm not entirely sure whether I should write this directly to the Debian guys, however, I'd like to discuss some stuff first with you guys to clear up some questions. I hope that Faidon (who maintains the Debian package) is reading this and can help to shed some light on this. :)
We usually build radsecproxy on Ubuntu 16.04.3 LTS from the sources from Debian:
https://packages.debian.org/de/source/sid/radsecproxy
This used to work well with 1.6.8 and (apart from one problematic dependency on debhelper >=10) it should work with 1.6.9 as well. I have a number of suggestions regarding the Debian build:
- Currently, the resulting radsecproxy will run as root. I think it would be nicer to have the daemon run as some unprivileged user (e.g. "radsecproxy").
- In the current Ubuntu release (could very likely be the same with the current Debian release), there's a rather stupid bug in systemd where you can write an arbitrary number (e.g. "1") into radsecproxy's PID file and as soon as the service radsecproxy is stopped, the process that you put into the PID file is killed (which is not so nice if it's "1"). Now, while it's unclear how easily exploitable this is, it's still easy to cure.
I would like to discuss the following patches to the Debian build tree with you. I don't have any experiences with Debian package design so please be patient if it has mistakes. :)
Patch #1:
--------8<--------8<--------8<--------8<--------8<--------

--- radsecproxy-1.6.9.old/debian/service	2017-08-04 21:12:38.000000000 +0200
+++ radsecproxy-1.6.9/debian/service	2017-08-18 07:56:46.080064099 +0200
@@ -6,12 +6,13 @@
[Service]
 Type=forking
-ExecStart=/usr/sbin/radsecproxy -i /run/radsecproxy.pid
-PIDFile=/run/radsecproxy.pid
+ExecStart=/usr/sbin/radsecproxy
+User=radsecproxy
 ProtectSystem=full
 PrivateDevices=true
 PrivateTmp=true
 ProtectHome=true
+CapabilityBoundingSet=~CAP_SYS_PTRACE
[Install]
 WantedBy=multi-user.target
--------8<--------8<--------8<--------8<--------8<--------
Explanation: systemd doesn't need the PID file to know about the PID that radsecproxy runs with. So you can remove the creation of a PID file entirely as well as the PIDFile= reference to it, working around the security risk above. Furthermore, the patch makes systemd run radsecproxy as user "radsecproxy". For this to be possible, we need...
Patch #2:
Add radsecproxy-1.6.9/debian/postinst
--------8<--------8<--------8<--------8<--------8<--------
adduser --system radsecproxy
--------8<--------8<--------8<--------8<--------8<--------
Could you guys have a look at the above suggestions for patches and let me know what you think? Please note that this only addresses the systemd service file, I didn't patch the init file (which would certainly also make sense at least to let radsecproxy run as an unprivileged user).
Note to Faidon: I like the changes that you made to harden the radsecproxy installation when using systemd. Thanks for the good work! I have a question though: how important is the dependency "debhelper >=10"? I'm asking because the latest debhelper on Ubuntu 16.04.3 LTS is 9.x. If possible, can I change the debhelper dependency to ">=9" again? This would certainly help building the package on Ubuntu 16.04.3 LTS. Thanks!
Cheers,
Christian
-- 
Dipl.-Math. Christian Strauf
Clausthal Univ. of Technology   E-Mail: strauf@rz.tu-clausthal.de
Rechenzentrum                   Web:    www.rz.tu-clausthal.de
Erzstraße 18                    Tel.:   +49-5323-72-2086 Fax: -992086
D-38678 Clausthal-Zellerfeld


    