Skip to content

Packaged binaries shouldn't run as root unless absolutely necessary #70

@salcock

Description

@salcock

This is especially true for the provisioner and mediator -- the collector may need root to be able to listen on the capture interface (but even then, we may only need those permissions temporarily).

Ideally, our packaged installs would create an "openli" user, install everything (binaries, config files, etc.) as belonging that user and have the systemd scripts run the components as "openli".

Unfortunately, because we didn't do this earlier, we'll also need some sort of script that will detect existing config etc. that is owned by root and make sure that ownership is changed to the "openli" user when the package is updated.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Known IssueIncorrect or undesirable behaviour that can be temporarily worked aroundPackagingRelated to the binary packages built for Debian, CentOS, etc.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions