KiwiIRC runs as root
ccoenen opened this issue · comments
I don't believe it is a good idea to have this thing run as root user, it is defined here:
but never actually used anywhere. It would probably need to be referenced here:
Other choices would be: www-data
or httpd
which are usually available on systems with http servers like apache or nginx; irc
which is usually present on servers that run an ircd.
I changed the line to be
sudo -u $user $cmd 1>> "$std_log" 2>&1 &
but I have no idea if this is portable to different distributions.
(it should also be noted that you need to have root access to create ports < 1000, I am using this with "regular" webserver in front of it)
you need to have root access to create ports < 1000
*1024
A lot of people do have this running on port 80/443 by default which either root is needed or some distros support setcap
to allow non-root users to listen on ports < 1024. Also to remember that not all distros have sudo installed.
I'm not entirely sure what the best way of handling all these cases are short of creating a package for each and every distro out there.
there appear to be only shitty options to solve this.
- proxy to high port number is not trivial to set up
- iptables rerouting to high port number is not trivial to set up
- authbind appears to be debian/ubuntu only
setcap CAP_NET_BIND_SERVICE would apparently allow any node process to open ports (not just the specific kiwiirc process)(apparently considered harmful, see next post, thanks for speaking up :-) )
Feel free to close this, but I still think this should be documented somewhere.
Systemd has a solution for the port binding, see for example here: https://github.com/mholt/caddy/blob/master/dist/init/linux-systemd/caddy.service#L43
Using setcap is considered harmful.
@mestaritonttu any more info on why setcap is harmful?
Only this, like we discussed on IRC: caddyserver/caddy#528 (comment)