You are here

Access Control for GNUnet

Primary tabs

This chapter documents how we plan to make access control work within the GNUnet system for a typical peer. It should be read as a best-practice installation guide for advanced users and builders of binary distributions. The recommendations in this guide apply to POSIX-systems with full support for UNIX domain sockets only.

Note that this is an advanced topic. The discussion presumes a very good understanding of users, groups and file permissions. Normal users on hosts with just a single user can just install GNUnet under their own account (and possibly allow the installer to use SUDO to grant additional permissions for special GNUnet tools that need additional rights). The discussion below largely applies to installations where multiple users share a system and to installations where the best possible security is paramount.

A typical GNUnet system consists of components that fall into four categories:

User interfaces
User interfaces are not security sensitive and are supposed to be run and used by normal system users. The GTK GUIs and most command-line programs fall into this category. Some command-line tools (like gnunet-transport) should be excluded as they offer low-level access that normal users should not need.
System services and support tools
System services should always run and offer services that can then be accessed by the normal users. System services do not require special permissions, but as they are not specific to a particular user, they probably should not run as a particular user. Also, there should typically only be one GNUnet peer per host. System services include the gnunet-service and gnunet-daemon programs; support tools include command-line programs such as gnunet-arm.
Priviledged helpers
Some GNUnet components require root rights to open raw sockets or perform other special operations. These gnunet-helper binaries are typically installed SUID and run from services or daemons.
Critical services
Some GNUnet services (such as the DNS service) can manipulate the service in deep and possibly highly security sensitive ways. For example, the DNS service can be used to intercept and alter any DNS query originating from the local machine. Access to the APIs of these critical services and their priviledged helpers must be tightly controlled.

Recommendation: Disable access to GNUnet services via TCP

GNUnet services allow two types of access: via TCP socket or via UNIX domain socket. If the service is available via TCP, access control can only be implemented by restricting connections to a particular range of IP addresses. This is acceptable for non-critical services that are supposed to be available to all users on the local system or local network. However, as TCP is generally less efficient and it is rarely the case that a single GNUnet peer is supposed to serve an entire local network, the default configuration should disable TCP access to all GNUnet services on systems with support for UNIX domain sockets. As of GNUnet 0.9.2, configuration files with TCP access disabled should be generated by default. Users can re-enable TCP access to particular services simply by specifying a non-zero port number in the section of the respective service.

Recommendation: Run most GNUnet services as system user "gnunet"

GNUnet's main services should be run as a separate user "gnunet" in a special group "gnunet". The user "gnunet" should start the peer using "gnunet-arm -s" during system startup. The home directory for this user should be "/var/lib/gnunet" and the configuration file should be "/etc/gnunet.conf". Only the "gnunet" user should have the right to access "/var/lib/gnunet" (mode: 700).

Recommendation: Control access to GNUnet services using group "gnunet"

Users that should be allowed to use the GNUnet peer should be added to the group "gnunet". Using GNUnet's access control mechanism for UNIX domain sockets, those services that are considered useful to ordinary users should be made available by setting "UNIX_MATCH_GID=YES" for those services. Again, as shipped, GNUnet provides reasonable defaults. Permissions to access the transport and core subsystems might additionally be granted without necessarily causing security concerns. Some services, such as DNS, must NOT be made accessible to the "gnunet" group (and should thus only be accessible to the "gnunet" user and services running with this UID).

Recommendation: Limit access to certain SUID binaries by group "gnunet"

Most of GNUnet's SUID binaries should be safe even if executed by normal users. However, it is possible to reduce the risk a little bit more by making these binaries owned by the group "gnunet" and restricting their execution to user of the group "gnunet" as well (4750).

Recommendation: Limit access to critical gnunet-helper-dns to group "gnunetdns"

A special group "gnunetdns" should be created for controlling access to the "gnunet-helper-dns". The binary should then be owned by root and be in group "gnunetdns" and be installed SUID and only be group-executable (2750). Note that the group "gnunetdns" should have no users in it at all, ever. The "gnunet-service-dns" program should be executed by user "gnunet" (via gnunet-service-arm) with the binary owned by the user "root" and the group "gnunetdns" and be SGID (2700). This way, only "gnunet-service-dns" can change its group to "gnunetdns" and execute the helper, and the helper can then run as root (as per SUID). Access to the API offered by "gnunet-service-dns" is in turn restricted to the user "gnunet" (not the group!), which means that only "benign" services can manipulate DNS queries using "gnunet-service-dns".

Differences between "make install" and these recommendations

The current build system does not set all permissions automatically based on the recommendations above. In particular, it does not use the group "gnunet" at all (so setting gnunet-helpers other than the gnunet-helper-dns to be owned by group "gnunet" must be done manually). Furthermore, 'make install' will silently fail to set the DNS binaries to be owned by group "gnunetdns" unless that group already exists (!). An alternative name for the "gnunetdns" group can be specified using the "--with-gnunetdns=GRPNAME" configure option.

Peer Configuration

The "GNUNET_DATA_HOME" in "[path]" in /etc/gnunet.conf should be manually set to "/var/lib/gnunet/data/" as the default "~/.local/share/gnunet/" is probably not that appropriate in this case. Similarly, distributions may consider pointing "GNUNET_RUNTIME_DIR" to "/var/run/gnunet/" and "GNUNET_HOME" to "/var/lib/gnunet/". Also, should a distribution decide to override system defaults, all of these changes should be done in a custom "/etc/gnunet.conf" and not in the files in the "config.d/" directory.

Given the proposed access permissions, the "gnunet-setup" tool must be run as use "gnunet" (and with option "-c /etc/gnunet.conf" so that it modifies the system configuration). As always, gnunet-setup should be run after the GNUnet peer was stopped using "gnunet-arm -e". Distributions might want to include a wrapper for gnunet-setup that allows the desktop-user to "sudo" (i.e. using gtksudo) to the "gnunet" user account and then runs "gnunet-arm -e", "gnunet-setup" and "gnunet-arm -s" in sequence.