Skip to content

privilege reduction of default installation with manager

The manager performs these (potentially) privileged operations:

  • open socket on arbitrary locations based on user configuration
  • start transient systemd services with kresd and gc via DBus
  • read state of services from systemd via DBus

At the moment, I don't see a way how to get rid of privileges in manager. One option seems obvious - we could configure DBus to allow us to communicate with systemd when running as user knot-resolver. However, this just makes potential exploitation only slightly harder as escalating to root is just a matter of starting a transient service through DBus running some kind of remote shell. On the first sight with an uninformed user, this looks safe as we could be launching all services with non-root user. This makes it in my opinion even more dangerous as the user won't expect the problem to be present.

Another way is to use user session systemd. However, I have no idea how to run a session systemd without an actual physical user present. I am mainly not even sure, if is valid usage. This option could benefit from more experimentation.

Another (rather disruptive) idea is to get rid of systemd and run some custom service manager within the single knot-resolver.service systemd unit. This solves problems with privileges, but introduces whole bunch of other unrelated problems.

How to solve this? I think the next step is to ask some systemd devs what they think about it. And read more documentation about DBus privileges, because if we could filter based on message content, we could make it work.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information