set_trace # timfreund's blog on dev, ops, and other work stuff

Daemonizing while dropping privileges

Tags: programming unix

We talked about chroot jails the last time daemonization came up. This time we’re talking about privileges and what it means to drop them.

Animal Farm

All users are equal, but some users are more equal than others. If something can be done, root can do it, and some actions can only be done by root. Root is the only user that can bind to any port under 1024 on a unix or linux host. Apache, or Nginx, or AOLServer can only bind to port 80 and 443 for the sake of serving web pages if the processes start as the root user.

Running a webserver as root is fine until someone finds a remote exploit in the ancient version of Apache that serves your site because patching is lame and it hurts your uptime. At that point a remote exploit will take over the root owned web server process and have practically unlimited access to the system.

That’s why dropping privileges is a thing we can do. A process can start with root privileges, do just the things that require root privileges, then immediately give up those privileges and switch to an unprivileged account. Now a remote exploiter will only have control of a process running as an unprivileged account, and they’ll need to put time into finding a root escalation attack rather than jumping right in to pilfering data from the system.

One note: users can belong to as many groups as the system administrator sees fit. Run the groups command right now to see what groups you belong to::

$ groups
tim adm audio video libvirtd admin

A process that starts life as a root owned process and drops privileges may not make it through to the other side in all of those groups. For instance, processes daemonized with the Python-LUST toolkit will only belong to the group explicitly specified in the daemon configuration file. If your process uses resources belonging to multiple groups in development, you may find that it stops working when deployed to production and daemonized as a process that drops privileges during start up.

And just for the record, there’s no excuse for not patching.