Skip to content

Add option to bypass root check#39

Closed
marek22k wants to merge 1 commit into
troglobit:masterfrom
marek22k:systemd
Closed

Add option to bypass root check#39
marek22k wants to merge 1 commit into
troglobit:masterfrom
marek22k:systemd

Conversation

@marek22k

@marek22k marek22k commented Sep 8, 2025

Copy link
Copy Markdown
Contributor

Hello,

I am trying to create a systemd unit for pim6sd, but it does not work optimally when I have to start it as root. Therefore, it would be nice to have an option to skip the root check.

[Unit]
Description=PIM-SM/SSM daemon for IPv6
Documentation=https://github.com/troglobit/pim6sd
After=network.target

[Service]
DynamicUser=true
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
ProtectClock=true
ProtectKernelLogs=true
ProtectKernelTunables=true
ProtectProc=ptraceable
ProtectControlGroups=true
ProtectHostname=true
RestrictSUIDSGID=true
RestrictRealtime=true
PrivateTmp=true
SystemCallArchitectures=native
MemoryDenyWriteExecute=true
LockPersonality=true
ProtectKernelModules=true
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete @privileged @raw-io @reboot @swap @keyring @memlock @setuid
RestrictNamespaces=true

ExecStart=/usr/sbin/pim6sd -f %E/pim6sd/pim6sd.conf -n -d all
Restart=on-failure
RestartSec=5s

RuntimeDirectory=pim6sd
RuntimeDirectoryMode=0755

[Install]
WantedBy=multi-user.target

Background: A process, especially a long-running process that has contact with the outside world, should not have to start with privileged access. With the help of the capabilities system, it is possible to assign individual required permissions to the process and thus also dispense with root privileges (example CapabilityBoundingSet/AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW in systemd).

Background: A process, especially a long-running process that has contact with the outside world, should not have to start with privileged access. With the help of the capabilities system, it is possible to assign individual required permissions to the process and thus also dispense with root privileges (example `CapabilityBoundingSet/AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW` in systemd).

Signed-off-by: Marek Küthe <m.k@mk16.de>

@troglobit troglobit left a comment

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't agree with this PR. Instead of adding more undocumented options we should remove bad behavior. Have you researched what mrouted or pimd does? Can we remove the root check entirely instead? If not what's blocking us?

@marek22k

marek22k commented Sep 9, 2025

Copy link
Copy Markdown
Contributor Author

#40

@marek22k marek22k closed this Sep 9, 2025
@marek22k

marek22k commented Sep 9, 2025

Copy link
Copy Markdown
Contributor Author

I don't agree with this PR. Instead of adding more undocumented options we should remove bad behavior.

If that's okay with you :-)

Have you researched what mrouted or pimd does?

Theoretically, I should know, but in practice, I lack both experience and practice.

If you have any further links/documentation on this, I would be grateful.

Can we remove the root check entirely instead? If not what's blocking us?

I would say yes. If you start it via systemd with the appropriate privileges, as I do, it (apparently) works that way too.

@marek22k marek22k deleted the systemd branch September 9, 2025 05:59
@marek22k

marek22k commented Sep 9, 2025

Copy link
Copy Markdown
Contributor Author

If it's okay for me to ask another question: Is it possible to configure pim6sd to use a specific routing table for RPF calculation? Not all of my peers are multicast-capable, so I would create a second routing table for multicast if necessary.

@troglobit

Copy link
Copy Markdown
Owner

I don't agree with this PR. Instead of adding more undocumented options we should remove bad behavior.

If that's okay with you :-)

Well ... I added a caveat to my request ...

Have you researched what mrouted or pimd does?
Theoretically, I should know, but in practice, I lack both experience and practice.
If you have any further links/documentation on this, I would be grateful.

In practice, I'm the maintainer for mrouted, pimd, as well as pimd-dense, and it's not that difficult to just google it? I'm not here to teach you stuff or be your errand boy, you're the one who wants to merge a change, so the onus is on you.

Can we remove the root check entirely instead? If not what's blocking us?
I would say yes. If you start it via systemd with the appropriate privileges, as I do, it (apparently) works that way too.

"It works for me" ... great, thanks for the help. So, I asked because I didn't remember what decision I made in the other projects, and now I've checked myself since you were too lazy to bother, the conclusion is -- all the other projects have the same check. One of the many reasons for this is that all of these multicast routing daemons run on all UNIX systems out there with the MROUTING kernel stack, not just Linux. So I'm going to have to ask you to take that into account when reworking this patch.

@troglobit

Copy link
Copy Markdown
Owner

If it's okay for me to ask another question: Is it possible to configure pim6sd to use a specific routing table for RPF calculation? Not all of my peers are multicast-capable, so I would create a second routing table for multicast if necessary.

It's extremely difficult to keep track of as a maintainer, so I've forked-off your question as a separate issue. See #41

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants