Bug#997977: /lib/systemd/system/monopd.service:8: Special user nobody configured, this is not safe!

[Markus Koschany]

Am Donnerstag, dem 28.10.2021 um 14:24 +0800 schrieb Jason L. Quinn:
> Package: monopd
> Version: 0.10.2-4
> Severity: grave
> Tags: security
> Justification: user security hole
> X-Debbugs-Cc: jason.lee.quinn+debian at gmail.com, Debian Security Team
> <team at security.debian.org>
> 
> Dear Maintainer,
> 
> Recently upgraded from Buster to Bullseye. I'm not perusing
> "journalctl --boot" looking for errors and warnings and submitting
> bug reports as I tend to do after a Debian upgrade. One of the curious
> lines in my journal logs was
> 
> /lib/systemd/system/monopd.service:8: Special user nobody configured, this is
> not safe!
> 
> This does indeed appear to be a valid systemd warning. See commit at
> 
> https://github.com/systemd/systemd/commit/bed0b7dfc0070e920d00c89d9a4fd4db8d974cf0
> 
> Marked as grave as per bug descriptions in the reportbug tool (introduces a
> security hole).

I don't think this constitutes a grave security issue alone just because the
server starts with owner nobody permissions which has been the case for the
past 18 years by the way. You need some kind of exploit and services/files of
the same owner to manipulate which is unlikely given that possibly only two
people in the world including myself run a monopoly server in a "production"
environment. 

I agree that we can use systemd's DynamicUser feature in this case and tighten
the permissions because it implies ProtectSystem=strict and PrivateTmp=yes. I
need to figure out if we need more permissions but probably not.

Regards,

Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-games-devel/attachments/20211028/4386f75c/attachment.sig>