Re: [Tracker] Running Tracker with dbus system bus



Philip

thanks for your thoughts, highly appreciated!

Am 02.01.2014 um 11:07 schrieb Philip Van Hoof <philip codeminded be>:

Signierter PGP Teil
Ralph Böhme schreef op 2/01/2014 10:36:

Hi Ralph,

I think your seteuid() to drop to the user-ID from root should
be called from your code rather than in libtracker-sparql.

I think you misunderstood what I was trying to describe. I
seteiud() to root in the application before calling tracker-sparql
stuff, because I'm launching a private dbus in the root user
context which is then starting Tracker daemons in root user
context.

Aha yes I misunderstood that. I thought you were running Tracker as a
user and wanted to query it from root.


<https://github.com/Netatalk/Netatalk/blob/develop/etc/spotlight/slmod_sparql.c#L74>

 The application process normally runs uid=0,euid=some-uid. In
order to be able to talk to Tracker via dbus, which are both
running in root user context, I seteuid(0) and back when using
tracker-sparql stuff.

I must run Tracker as root, because I must be able to index a
_shared_ ressource, ie all files of a fileserver (currently
AFP/Netatalk, in the future SMB/Samba).

Ok, makes sense.

However, and especially given recent revelations in the news of
governments being interested in hacking into our devices (however
crazy that in itself is); tracker-extract links with a huge amount of
externally maintained code and given that this code operates with user
defined input (the files on a filesystem); I would advise very
strongly against running tracker-extract as root. Even our own code
isn't coded with high security standards in mind, although we always
and still do tag such bugs with highest critical priority.

I think it's comparable to the sore situation of extensions and GLX in
X.Org. I also think we'd need the focus of a community of a few
hundred people to make all that code secure. It is that serious and
I'd like to make sure that everybody who runs tracker-extract as root
is aware of this and wakes up in the middle of the night soaked in
cold sweat, every night, for at least half a year for each user that
he burdened with that risk.

Point taken.

What I would propose is to investigate the use of Linux lightweight
containers to let the tracker-extract process run in, or using
set(e)uid to drop privileges of tracker-extract as soon as possible
(for example after getting the open fd, drop privleges, and continue
with read. But I'm not even sure whether that will work - so
experimenting and investigating on this should probably be done).

For example no extractors need write access to files, so the container
and/or user to drop privileges to wouldn't need it, the mp3 extractor
needs mmap, God knows what the GStreamer based ones need, etc.

I don't think running tracker-miner-fs' process as root is as much of
a risk (as tracker-extract), although a security audit would need to
be done. Same for tracker-store.

Trackers is apperently designed for a single user context, not for
use a general purpose indexer on a server that shares ressources
with clients by means of filehsharing protocols like SMB, AFP or
NFS.

Is there a reason why libtracker-sparql must be adapted?

The whole Tracker design must be updated to optionally allow
running Tracker in dbus system context, not in user context.

Yes I agree with this for your use-case.

I think it should be at least a option, a commandline switch or
perhaps even a compile time option. I wouldn't be against it (noting
to your users the warning about tracker-extract that I just gave -
which I do think you ought to take very serious).

fwiw, the requirements for the described use case don't neccessarily require running Tracker as root. What's 
need is using dbus system context, not session context, so that arbitrary users (processes with distinct 
uids) can connect. The latter is not allowed by dbus for user context services (ie you can't connect as 
arbitrary user to a dbus session service from another user (another euid that is)).

A proper solution (with security in mind) might be
* add an option that makes Tracker use system dbus context instead of session context
* add another option to take a user under which Tracker will run in this case, this user MUST not be root

Thanks again!
-Ralph

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]