undefined | Better HN

0 pointswtallis8y ago0 comments

OpenWRT is still trying to support devices with 8MB of storage, so they can't go overboard and start incorporating Docker or anything like that. But some services do run as separate users: on my routers, dnsmasq and avahi aren't running as root. What other services would you like to see isolated?

0 comments

Tepix8y ago

I didn't know that. Sounds like they are moving in the right direction. One important component that should not run as root is the web server.

wtallisOP8y ago

Generally speaking, I agree that a web server shouldn't be running as root. But when the sole purpose of that web server is to provide root-level control over the system, is there really much security to be gained by running that process as a different user? That "unprivileged" process is still going to have some mechanism for causing arbitrary commands to run as root.

I can imagine that you might have an unprivileged server presenting just the log-in page, then proxying to a privileged server that is started once the administrator is authenticated. But that doesn't get you much more security, and it probably does strain the resources of low-end routers. A small, auditable server may be better than a more complicated system, especially since it is trivial for more paranoid users to disable/uninstall the web server and just use SSH (which nobody seems to mind running as root).

j / k navigate · click thread line to collapse

0 pointswtallis8y ago0 comments

0 comments

Tepix8y ago

I didn't know that. Sounds like they are moving in the right direction. One important component that should not run as root is the web server.

wtallisOP8y ago

j / k navigate · click thread line to collapse