I don’t understand the purpose of the PR given that
osqueryd
runs as root
t
theopolis
01/18/2020, 1:34 PM
You may want to run extensions as non-root. Right now that is not possible due to permissions on the socket. It is a good thing the socket permissions are restrictive because access allows you to query any data as root.
s
sundsta
01/18/2020, 11:12 PM
Ah I didn’t realize the extensions could run under a different user/group. In that case, the PR is fine from my view. Overall, I am more interested in running the whole thing as non-root and using Linux capabilities to restrict the access (https://github.com/osquery/osquery/issues/6121)
s
seph
01/19/2020, 1:34 PM
My initial thought is that it seems fine? If we're already trusting posix auth, group writable is okay