Bug 111578 - rwhod runs as root
Summary: rwhod runs as root
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Fedora
Classification: Fedora
Component: rwho
Version: 2
Hardware: All
OS: Linux
medium
low
Target Milestone: ---
Assignee: Phil Knirsch
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-12-05 18:06 UTC by Andrew Taylor
Modified: 2015-03-05 01:13 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-10-25 20:27:23 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
spec file changes to run rwhod as a non-privileged user (744 bytes, patch)
2003-12-05 18:14 UTC, Andrew Taylor
no flags Details | Diff
sysv init file changes to run rwhod as a non-privileged user (308 bytes, patch)
2003-12-05 18:20 UTC, Andrew Taylor
no flags Details | Diff

Description Andrew Taylor 2003-12-05 18:06:47 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6a)
Gecko/20031030

Description of problem:
The rwhod daemon has the ability to drop root privileges on its writer
process.  We might as well take advantage of this capability and run
it as a non-priviledged user.

Version-Release number of selected component (if applicable):
rwho-0.17-19

How reproducible:
Always

Steps to Reproduce:
Run rwhod.

Actual Results:  Runs as root.

Expected Results:  The writer process should be a non-priviledged user.

Comment 1 Andrew Taylor 2003-12-05 18:14:31 UTC
Created attachment 96372 [details]
spec file changes to run rwhod as a non-privileged user

Comment 2 Andrew Taylor 2003-12-05 18:20:58 UTC
Created attachment 96373 [details]
sysv init file changes to run rwhod as a non-privileged user

These patches make rwhod run the writer process as a new user called "rwhod".

As few notes:
the uid for rwhod is 49, which I chose at random.  It doesn't seem to conflict
with anything I've been able to find.  Is there a registry for system uids
somewhere?

Also, if an existing rwho RPM is updated, any files in /var/spool/rwho owned by
root will not be writable by rwhod, effectively freezing the rwho information
for those hosts in time.  Perhaps the spec file should do a chown?

Comment 3 Phil Knirsch 2004-10-18 15:34:32 UTC
Sounds like a good idea.

Investigating and discussing with folks here.

Read ya, Phil

Comment 4 Matthew Miller 2005-04-26 15:38:47 UTC
Fedora Core 2 is now maintained by the Fedora Legacy project for
security updates only. If this problem is a security issue, please
reopen and reassign to the Fedora Legacy product. If it is not a
security issue and hasn't been resolved in the current FC3 updates or
in the FC4 test release, reopen and change the version to match.

Comment 5 John Thacker 2006-10-25 20:27:23 UTC
Closing per previous comment and lack of response.  Also note that FC1 and FC2
are no longer supported even by Fedora Legacy.


Note You need to log in before you can comment on or make changes to this bug.