Opened 5 years ago

Closed 16 months ago

#13602 closed enhancement (wontfix)

run all ooniprobe tests as non-root

Reported by: infinity0 Owned by: hellais
Priority: Medium Milestone:
Component: Archived/Ooni Version:
Severity: Normal Keywords: archived-closed-2018-07-04
Cc: aagbsn, lunar, poncho@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by infinity0)

Hi, I've written some wrapper scripts to allow ooni-probe to run all tests as non-root:

https://github.com/infinity0/script-caps/blob/master/Makefile#L1

To see it working, (at the time of writing) you need to patch your ooni-probe so that it's not affected by #13497 nor #13581.

There are two options; the tradeoffs for each are documented at the top of that Makefile. It would be good if the OONI authors could weigh in on which option is preferable, I've also CCd the Debian package maintainer.

Feel free to ask questions if the documentation isn't adequate.

Child Tickets

Change History (7)

comment:1 Changed 5 years ago by infinity0

Description: modified (diff)
Summary: run ooniprobe as non-rootrun all ooniprobe tests as non-root

comment:2 Changed 5 years ago by infinity0

I just realised I greatly over-engineered option (2) and have now simplified it. Now, we just use cython to build bin/ooniprobe into a C program, and setcap on this. No wrappers involved, no need to hard-code any extra paths, nothing runs as root.

Essentially the C program is a python interpreter that only runs ooniprobe, and the search path rules are all handled by ld.so (which already has security mechanisms like [1]) and libpythonXX.so (where I'm manually telling it to ignore user / environment search paths, as seen in the Makefile).

So I think option (2) would be suitable both for inclusion into the main ooni repo, and for use within Debian.

[1] http://stackoverflow.com/questions/9843178/linux-capabilities-setcap-seems-to-disable-ld-library-path

comment:3 in reply to:  2 Changed 5 years ago by lunar

Replying to infinity0:

So I think option (2) would be suitable both for inclusion into the main ooni repo, and for use within Debian.

I am pretty confident it is, yes. :) Nice work.

iputils seems to set the capabilities in the postinst script of various tools when possible. Here's an example with iputils-tracepath.postinst. So we could probably spare a manual operation in the best case. ooniprobe should still keep the ability to downgrade nicely.

comment:4 Changed 5 years ago by hellais

Great work inifinity0!

I have just gotten back from travelling so I will soon get to reviewing the required tickets for including this patch into ooniprobe.

Thanks for working on this!

comment:5 Changed 5 years ago by poncho

Cc: poncho@… added

comment:6 Changed 23 months ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

comment:7 Changed 16 months ago by teor

Keywords: archived-closed-2018-07-04 added
Resolution: wontfix
Status: newclosed

Close all tickets in archived components

Note: See TracTickets for help on using tickets.