Skip to content
  • deuce's avatar
    Linux will now (sort of) run as a non-root user. After hours of trying · 772ac0b2
    deuce authored
    to track down the issue, I finally gave up... as a result, there is a new
    feature!
    
    Linux will no longer completely drop it's root privs (It never really did
    anyways, and you couldn't possibly make it... but now it does so even less)
    
    As a result, Linux can now recycle all servers when running as non-root.
    
    From a security standpoint, doing this is more secure than running as root,
    but less secure than the behaviour on POSIX.4 compliant pthreads.  Running
    the BBS as root means that if a user can create a file with the name of his
    choice, or pass *any* command through to a shell, that user will get root
    access to the machine.  Using the new behaviour, the user would need to
    trick the Synchronet binary itself into executing arbitrary and specially
    crafted code... probobly using the dreaded buffer overflow... of which
    there are probobly some in the web server code.  :-)  If the user can do
    this much more tricky feat, then the user gets root privs.  If not, the
    user will have to find something else to exploit on your system.
    
    Knowing that some *BSD users (surely not OpenBSD users though) will want to
    trade security for convenience, I stole a page out of the Sendmail book and
    implemented a "DONT_BLAME_SYNCHRONET" make option.  Compiling like this:
    gmake DONT_BLAME_SYNCHRONET=1
    
    Will implement this same behaviour on non-Linux platforms.  Allowing this
    partial security feature.
    772ac0b2