Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://pony.social/users/cult/statuses/113205844746121144">CULTPONY :verified: :verified: (cult@pony.social)'s status on Friday, 27-Sep-2024 06:05:21 JST</a><a href="https://pony.social/@cult" title="cult@pony.social"><img src="https://gnusocial.jp/avatar/20077-48-20231024042554.webp" width="48" height="48" alt="CULTPONY :verified: :verified:" style="position: absolute; left: 0; top: 0;">CULTPONY :verified: :verified:</a><div><a href="https://friedcheese.us/objects/abd589a4-3421-4a1b-96b6-0edcbbab5c14" rel="in-reply-to">in reply to</a><ul><li></ul></div></section><article><p><a href="https://friedcheese.us/users/feld" rel="nofollow noreferrer">@feld</a> Atleast on Linux an option going forward is systemd.socket, which can do TCP socket listening for a service and pass it when starting it. That eliminates the need for requiring root, systemd is root and opens the socket, the service does not open it onyl handle it.</p><p>On BSD/Alpine there'd be the option of inetd with priv dropping so systemd isn't required.</p><p>Apple MacOS.</p><p>Still, it seems atleast the part that is being RCE'd is not running as root and can only write to /tmp as non-root, so it's "FINE" (load bearing quotes).</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/3733244#notice-7310104">In conversation</a><time datetime="2024-09-27T06:05:21+09:00" title="Friday, 27-Sep-2024 06:05:21 JST">about 2 months ago</time> <span>from <span><a href="https://pony.social/@cult/113205844746121144" rel="external" title="Sent from pony.social via ActivityPub">pony.social</a></span></span><a href="https://pony.social/@cult/113205844746121144">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
CULTPONY :verified: :verified: (cult@pony.social)'s status on Friday, 27-Sep-2024 06:05:21 JSTCULTPONY :verified: :verified:
in reply to
- feld
@feld Atleast on Linux an option going forward is systemd.socket, which can do TCP socket listening for a service and pass it when starting it. That eliminates the need for requiring root, systemd is root and opens the socket, the service does not open it onyl handle it.
On BSD/Alpine there'd be the option of inetd with priv dropping so systemd isn't required.
Apple MacOS.
Still, it seems atleast the part that is being RCE'd is not running as root and can only write to /tmp as non-root, so it's "FINE" (load bearing quotes).
In conversationabout 2 months ago from pony.socialpermalink

Public

Embed Notice

HTML Code

Corresponding Notice