[Bug 1204236] New: AUDIT-1: fluidsynth: fluidsynth service now runs as root?
https://bugzilla.suse.com/show_bug.cgi?id=1204236 Bug ID: 1204236 Summary: AUDIT-1: fluidsynth: fluidsynth service now runs as root? Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: matthias.gerstner@suse.com QA Contact: qa-bugs@suse.de CC: tom.mbrt@googlemail.com Found By: --- Blocker: --- A recent update to fluidsynth in Tumbleweed switch from a checked-in systemd service file to a version from upstream. Previously with the checked-in systemd service file, fluidsynth has been running with fluidsynth:audio lowered privileges. Now with upstream's service file it runs as root. Was this an intended change? If possible we should continue using the privilege drop, maybe also upstreaming it. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1204236 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|security-team@suse.de |tiwai@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1204236 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |security-team@suse.de -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1204236 https://bugzilla.suse.com/show_bug.cgi?id=1204236#c1 --- Comment #1 from Tom Mbrt <tom.mbrt@googlemail.com> --- I removed the hardcoded service file because it was obviously duplicated, while the purpose of doing so was not clear. I missed the lower privileges part. If you want to reintroduce this, I suggest that a patch should be used rather than duplicating the service file. The systemd hardening effort was partly reverted by upstream after people reported that this breaks systemd user services. See fluidsynth 2.3.0 changelog for details. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1204236 https://bugzilla.suse.com/show_bug.cgi?id=1204236#c2 --- Comment #2 from Matthias Gerstner <matthias.gerstner@suse.com> --- Sure, you can do it any way you think it's best. The security team is now monitoring changes to systemd services in Tumbleweed and it stuck out that fluidsynth now runs with higher privileges. If the daemon can run without root privileges then ideally upstream could offer build time configuration for the user and group to use. Maybe you can open an issue for this upstream. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1204236 https://bugzilla.suse.com/show_bug.cgi?id=1204236#c3 Takashi Iwai <tiwai@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|tiwai@suse.com |tom.mbrt@googlemail.com --- Comment #3 from Takashi Iwai <tiwai@suse.com> --- I reassign to Tom. Feel free to cook :) -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1204236 https://bugzilla.suse.com/show_bug.cgi?id=1204236#c4 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|AUDIT-1: fluidsynth: |fluidsynth: fluidsynth |fluidsynth service now runs |service now runs as root? |as root? | --- Comment #4 from Matthias Gerstner <matthias.gerstner@suse.com> --- Removing the AUDIT tag, let's treat this as a regular bug, since there's no direct security issue involved. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1204236 Tom Mbrt <tom.mbrt@googlemail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1204236 https://bugzilla.suse.com/show_bug.cgi?id=1204236#c5 Tom Mbrt <tom.mbrt@googlemail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED --- Comment #5 from Tom Mbrt <tom.mbrt@googlemail.com> --- Fixed in 2.3.1 by switching to user-service. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com