15 Apr
2024
15 Apr
'24
3:56 p.m.
On 15 Apr 2024, at 16:34, Andy Smith via BitFolk Users <users(a)mailman.bitfolk.com>
wrote:
- That this is somehow a systemd issue. All of the
code in every .so
below can do stuff as root inside the address space of the sshd
process.
Granted.
What makes sshd different is that it's run almost
everywhere (hugely
attractive target) and it's often exposed to the whole Internet
(hugely attractive target) and a lot of it runs as root.
But despite that I expect it is still run in as many places as whatever web server you
will use to implement your alternative solution. You may argue that your web server
doesn’t run as root, but if you intend it to perform this intended service then a portion
of it will have to, so you’re back at square one. What does your attack surface look like
if you do ‘ldd /my/web/server’? It still seems to me like you're trading one fairly
complex, reasonably well understood mechanism for a more complex, less well understood
alternative.
Regards,
Chris
—
Chris Smith <space.dandy(a)icloud.com>