Bug 520247 - PyICQt should not run as root! Create an user account instead
Summary: PyICQt should not run as root! Create an user account instead
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: pyicq-t
Version: rawhide
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Michael Fleming
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-08-29 18:20 UTC by Stefan Schulze Frielinghaus
Modified: 2009-10-06 10:04 UTC (History)
1 user (show)

Fixed In Version: 0.8.1.5-5.fc11
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-09-19 13:27:58 UTC


Attachments (Terms of Use)
SPEC file (5.12 KB, application/octet-stream)
2009-08-29 18:21 UTC, Stefan Schulze Frielinghaus
no flags Details
init script (988 bytes, application/octet-stream)
2009-08-29 18:21 UTC, Stefan Schulze Frielinghaus
no flags Details
pid file location changes (644 bytes, application/octet-stream)
2009-08-29 18:22 UTC, Stefan Schulze Frielinghaus
no flags Details

Description Stefan Schulze Frielinghaus 2009-08-29 18:20:22 UTC
Description of problem:
The current init script starts PyICQt as root which is a security risk. Instead it should be run as an unprivileged user. I did a few changes to get this working:

- change permissions for /etc/pyicq-t/ (the config file is confidential because a clear text password is saved in it), /var/spool/pyicq-t (is also confidential because all user icq passwords are saved in there)
- create a directory for the pid-file /var/run/pyicq-t and change permissions

The init-script was changed in several ways. Now it uses the daemon function which starts the application nicely and also changes automatically to the unprivilged user "pyicqt". Also the init-script shouldn't call "python PyICQt.py" instead it should execute the python script as an executable. This makes it easier to write a SELinux policy. Additionally I changed the chkconfig start paramter to 99. Because ejabberd starts at 40 but needs a couple of seconds to initialize the port where PyICQt will connect to. But if PyICQt is started to early and ejabberd hasn't initialized the port then PyICQt will drop.

The base of the attached files are from pyicq-t-0.8.1.3-2.fc12.src.rpm

My PyICQt daemon is now running for a couple of weeks with the changes and everything works fine so I expect no trouble if you upstream it.

Comment 1 Stefan Schulze Frielinghaus 2009-08-29 18:21:09 UTC
Created attachment 359162 [details]
SPEC file

Comment 2 Stefan Schulze Frielinghaus 2009-08-29 18:21:38 UTC
Created attachment 359163 [details]
init script

Comment 3 Stefan Schulze Frielinghaus 2009-08-29 18:22:23 UTC
Created attachment 359164 [details]
pid file location changes

Comment 4 Fedora Update System 2009-09-19 13:24:55 UTC
pyicq-t-0.8.1.5-5.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/pyicq-t-0.8.1.5-5.fc11

Comment 5 Fedora Update System 2009-10-06 10:04:04 UTC
pyicq-t-0.8.1.5-5.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.