I'm looking into different security models that are lightweight.
Let's say I have a readonly web service that takes a folder of markdown files and serves them up as HTML.
It gets launched as root and binds to port 8080.
It then chroots() to the markdown file folder and does setuid (65534) (nobody user on BSD and Linux as far as I can tell).
Then let's say another service, nginx, also uses the nobody user.
Is there any drawback between using the same UID between two different chroots? Or should the UID be different?
On BSD and Linux, if I try to kill a PID spawned by nobody from a chroot with nobody, if it's a SIGKILL it terminates the calling process instead of the one it's targeting. So if every sandbox process utilized nobody, and sat in different chroots, there should be no drawback, right? I don't want the different processes to be able to collude as nobody to do anything nefarious, nor to able to kill eachother. It should act as if they are different users.
I know Capsicum is a better solution much of the time, but isn't always available and solves different things.
I used to think random UIDs would be way to go, but I am starting to think that isn't necessary.
Let's say I have a readonly web service that takes a folder of markdown files and serves them up as HTML.
It gets launched as root and binds to port 8080.
It then chroots() to the markdown file folder and does setuid (65534) (nobody user on BSD and Linux as far as I can tell).
Then let's say another service, nginx, also uses the nobody user.
Is there any drawback between using the same UID between two different chroots? Or should the UID be different?
On BSD and Linux, if I try to kill a PID spawned by nobody from a chroot with nobody, if it's a SIGKILL it terminates the calling process instead of the one it's targeting. So if every sandbox process utilized nobody, and sat in different chroots, there should be no drawback, right? I don't want the different processes to be able to collude as nobody to do anything nefarious, nor to able to kill eachother. It should act as if they are different users.
I know Capsicum is a better solution much of the time, but isn't always available and solves different things.
I used to think random UIDs would be way to go, but I am starting to think that isn't necessary.