userv

Olly Betts

Disclaimer

I'm not an expert

Pronunciation

you-serve

~~user-vee~~

High-level Summary

a Unix system facility to allow one program to invoke another when only limited trust exists between them

History

Developed by Ian Jackson 1996-2006
Packaged for Debian and Ubuntu
Apparently not widely known/used

Debian Popcon

Debian popcon installs:

Package	Installs
userv	25
survex	37
XML::Filter::Sort	44
sudo	64,629

Total popcon reports: 90,141

Scenario #1

Richard mirrors SWIG SVN from sf.net
Updated via cron
Automated builds use this mirror
Sometimes I want it up-to-date NOW!

userv to the rescue!

Solution

~richard/.userv/rc:

if ( glob service swigsync
   & glob calling-user richard olly )
     reset
     suppress-args
     execute /home/richard/bin/swigsync.sh
fi

I run:

olly$ userv richard swigsync

Solution

~richard/.userv/rc:

if ( glob service swigsync
   & glob calling-user richard olly )
     reset
     suppress-args
     execute /home/richard/bin/swigsync.sh
fi

Non-approved user runs:

eve$ userv richard swigsync
uservd: request rejected
userv: uservd reports that service failed

Scenario #2

Public git mirror of Subversion

Minimise damage from any compromise
Minimise lag between SVN and git updating
Minimise hassle for root

Update trigger

~olly/.procmailrc:

:0 hic
* ^List-Id:.*xapian-commits\.lists\.xapian\.org
| userv xapian-git git-svn-fetch

git-svn

~xapian-git/.userv/rc:

if ( glob service git-svn-fetch
   & glob calling-user olly james richard root
   )
        reset
        suppress-args
        execute bin/git-svn-fetch
        quit
fi

git-daemon

~xapian-anongit/.userv/rc:

if ( glob service init.d/git-daemon
   & glob calling-user olly james richard root
   )
        reset
        no-suppress-args
        execute bin/init.d-git-daemon
        quit
fi

Scenario #2 summary

Strictly uni-directional information flow
git-daemon compromise affects only xapian-anongit user
xapian-git user hard to compromise, and can't affect SVN
Update delay of a few seconds
Minimal work for root:
- Create xapian-git and xapian-anongit users
- (Optionally) create /etc/init.d/xapian-anongit:
```
#!/bin/sh
exec userv xapian-anongit init.d/git-daemon "$@"
```

Alternatives - server process

Run a server using a domain socket or TCP port.

Doesn't require root
Possible to check calling user (ident)
Needs a process running
No standard tool (that I know of!)
Caller must trust client program

Alternatives - setuid

Various potential security issues
setuid scripts problematic
Caller must trust setuid program
Crude access restrictions

Alternatives - group writable

Set permissions on a file or directory to give any user in a particular group write permission.

Examples: shared high scores, man page cache

Users can modify directly
Limited applicability
Caller must trust client program
Crude access restrictions

Alternatives - sudo

/etc/sudoers allows similar rules
Only root can add rules
Config file controls root access too!

xkcd

xkcd corrected

The End

Questions welcome

Image credits:

openclipart.org for clipart
L-plate by daviddmuir
Superman by dunechaser
Debian QA for popcon graph
Jenny Black and myself for mirror photos
Sandwich cartoon by xkcd

Wellington Perl Mongers, 2010-07-13

userv

userv

Olly Betts

Disclaimer

Pronunciation

High-level Summary

History

Debian Popcon

Scenario #1

userv to the rescue!

Solution

~richard/.userv/rc:

I run:

Solution

~richard/.userv/rc:

Non-approved user runs:

Scenario #2

Public git mirror of Subversion

Update trigger

~olly/.procmailrc:

git-svn

~xapian-git/.userv/rc:

git-daemon

~xapian-anongit/.userv/rc:

Scenario #2 summary

Alternatives - server process

Alternatives - setuid

Alternatives - group writable

Alternatives - sudo

xkcd

xkcd corrected

The End