Base: Run ProtocolServer as a separate "protocol" user
This is probably not the final design we'll want for this, but for now let's run the HTTP client code as a separate user to reduce exposure for the standard "anon" user account. Note that "protocol" is also added to the "lookup" group, in order to allow ProtocolServer to contact LookupServer for DNS requests.
This commit is contained in:
Andreas Kling
parent
83f59419cd
commit
d0a708fda4
Notes:
sideshowbarker
2024-07-19 10:12:14 +09:00
Author: https://github.com/awesomekling Commit: https://github.com/SerenityOS/serenity/commit/d0a708fda42
3 changed files with 5 additions and 2 deletions
|
|
@ -6,10 +6,11 @@ Priority=high
|
||||||
|
|
||||||
[ProtocolServer]
|
[ProtocolServer]
|
||||||
Socket=/tmp/portal/protocol
|
Socket=/tmp/portal/protocol
|
||||||
|
SocketPermissions=660
|
||||||
Lazy=1
|
Lazy=1
|
||||||
Priority=low
|
Priority=low
|
||||||
KeepAlive=1
|
KeepAlive=1
|
||||||
User=anon
|
User=protocol
|
||||||
|
|
||||||
[LookupServer]
|
[LookupServer]
|
||||||
Socket=/tmp/portal/lookup
|
Socket=/tmp/portal/lookup
|
||||||
|
|
|
||||||
|
|
@ -3,5 +3,6 @@ wheel:x:1:anon
|
||||||
tty:x:2:
|
tty:x:2:
|
||||||
phys:x:3:anon
|
phys:x:3:anon
|
||||||
audio:x:4:anon
|
audio:x:4:anon
|
||||||
lookup:x:10:anon
|
lookup:x:10:protocol,anon
|
||||||
|
protocol:x:11:anon
|
||||||
users:x:100:anon
|
users:x:100:anon
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,5 @@
|
||||||
root:x:0:0:root:/:/bin/sh
|
root:x:0:0:root:/:/bin/sh
|
||||||
lookup:x:10:10:LookupServer,,,:/:/bin/false
|
lookup:x:10:10:LookupServer,,,:/:/bin/false
|
||||||
|
protocol:x:11:11:ProtocolServer,,,:/:/bin/false
|
||||||
anon:x:100:100:Anonymous,,,:/home/anon:/bin/sh
|
anon:x:100:100:Anonymous,,,:/home/anon:/bin/sh
|
||||||
nona:x:200:200:Nona,,,:/home/nona:/bin/sh
|
nona:x:200:200:Nona,,,:/home/nona:/bin/sh
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue