Bug 218179 - sysutils/ipfs-go runs with root privilege
Summary: sysutils/ipfs-go runs with root privilege
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: John Hixson
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-03-28 08:43 UTC by Gian-Simon Purkert
Modified: 2020-05-13 17:42 UTC (History)
3 users (show)

See Also:

Attachments
svn diff from /usr/ports/sysutils/ipfs-go (294 bytes, patch)
2020-05-04 05:57 UTC, Chad Jacob Milios 		milios: maintainer-approval? (milios)
 Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Gian-Simon Purkert 2017-03-28 08:43:01 UTC 
The IPFS-go daemon runs as root, witch is not really good.
Since it is a network-service, it should run with its own restricted user (analogue to TOR)

Repository and config, something like:
/var/lokal/ipfs
Comment 1 Gian-Simon Purkert 2017-03-28 09:10:40 UTC 
sry:
/var/db/ipfs
Comment 2 Gian-Simon Purkert 2017-07-31 12:45:33 UTC 
Runs still with root, please add a user special for ipfs otherwise its too dangerous.
Comment 3 Walter Schwarzenfeld 2018-02-02 18:43:57 UTC 
Feedback please!
Comment 4 Yuri Victorovich freebsd_committer freebsd_triage 2018-03-12 17:54:19 UTC 
This port violates chapter 5.4 of PHB which mentions that MASTER_SITES/DISTNAME refers to "source archive", and for sysutils/ipfs-go it isn't a source archive.

It should be removed.
Comment 5 Yuri Victorovich freebsd_committer freebsd_triage 2018-03-12 21:37:26 UTC 
(In reply to w.schwarzenfeld from comment #3)

This port needs to be reimplemented to solve mentioned problems.
Comment 6 John Hixson freebsd_committer freebsd_triage 2019-01-08 08:57:54 UTC 
This port no longer runs as the root user. This bug report can be closed.
Comment 7 Chad Jacob Milios 2020-05-04 05:57:06 UTC 
Created attachment 214085 [details]
svn diff from /usr/ports/sysutils/ipfs-go

USE_RC_SUBR implicitly adds the script to the end of the plist, affected by @owner and @group.

The rc.d script is getting installed owned by ipfs-go user which is a springboard to root privileges from ipfs daemon.

This patch fixes that
Comment 8 commit-hook freebsd_committer freebsd_triage 2020-05-13 17:41:09 UTC 
A commit references this bug:

Author: jhixson
Date: Wed May 13 17:40:41 UTC 2020
New revision: 535121
URL: https://svnweb.freebsd.org/changeset/ports/535121

Log:
  sysutils/ipfs-go: don't run as root

  PR:	218179
  Submitted by:	gspu <gspurki@gmail.com>

Changes:
  head/sysutils/ipfs-go/pkg-plist
Comment 9 John Hixson freebsd_committer freebsd_triage 2020-05-13 17:42:38 UTC 
Committed. Thanks.