Running radmind as an unprivileged user
The radmind server process binds to a high-numbered port, and doesn't read or write to the filesystem outside its own working directory. Therefore, it need not and should not run as root.
On my Mac OS X Radmind server, I created a new user and group, both named 'radmind'. The radmind user is the only member of the radmind group. User radmind has login disabled, an invalid shell, and home directory /Users/radmind. I chose to put the home directory under /Users, rather than in /var/radmind, for two reasons:
- /Users is a separate volume mounted from an encrypted disk image. With the radmind files on this volume, they're protected from tampering by an attacker who has physical access to the machine, and they don't need to be tripwired.
- The Radmind server is also a client (of itself), and I prefer to keep the server files separate from the client files for clarity. The only problem with this setup is that Radmind Server Manager is hard-coded to look for the server files in /var/radmind. Therefore, I had to put symbolic links to each of the server directories and to the config file in /var/radmind, in order to be able to use RSM. Note to RSM developers: please change this in a future release.
Setting permissions for the server files is a bit tricky. Schematically, the server directory looks like this:
[drwxr-xr-x root admin ] /Users/radmind/ |-- [dr-xr-x--- radmind admin ] cert | |-- [-r--r----- radmind admin ] ca.pem | `-- [-r--r----- radmind admin ] cert.pem |-- [drwxr-s--- root radmind ] command | |-- [-rw-r----- root radmind ] command1.K | |-- [-rw-r----- root radmind ] command2.K | |-- ... |-- [-rw-r----- root radmind ] config |-- [drwxr-x--- root radmind ] file | |-- [drwxr-x--- radmind radmind ] loadset1.T | |-- [drwxr-x--- radmind radmind ] loadset2.T | |-- ... |-- [drwxr-x--- root radmind ] special |-- [drwxr-x--- root radmind ] tmp | |-- [drwxrwx--- root radmind ] file | `-- [drwxrwx--- root radmind ] transcript `-- [drwxr-sr-x root radmind ] transcript |-- [-rw-r----- root radmind ] loadset1.T |-- [-rw-r----- radmind radmind ] loadset2.T |-- ...
Once this is set up, I can start the server with the command
sudo -H -u radmind /usr/local/sbin/radmind -u23 -w2 -D ~radmind
I use a launchd item to start the server automatically when the Users volume is mounted:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>edu.umich.radmind</string> <key>KeepAlive</key> <dict> <key>PathState</key> <dict> <key>/Users/radmind</key> <true/> </dict> </dict> <key>ProgramArguments</key> <array> <string>/usr/local/sbin/radmind</string> <string>-f</string> <string>-u23</string> <string>-w2</string> <string>-D</string> <string>/Users/radmind</string> </array> <key>UserName</key> <string>radmind</string> </dict> </plist>
Note that the transcripts stored on the server will have different permissions, depending on whether or not they were updated when checked in. Those checked in without updating will be owned by the radmind user, while those that are updated will be owned by root. That's because RSM runs lcksum as root, and it replaces the transcript rather than modifying it. The transcript and command directories must have the SGID bit set in order for their contents to be readable by the server process.
This modification is only for the very security-conscious, but I feel better knowing I don't have an unnecessary root daemon listening on the network.