• mystic systemd service

    From ryan@21:1/168 to All on Wed Feb 5 11:09:38 2020
    Hey folks, particularly g00r00, figured I'd share my systemd init script here for people instead of going point to point. Perhaps someone may find it
    useful.

    Regarding my setup, I run mystic as a user ("ryan") who owns all BBS files
    and directories recursively. My installation is in /mystic. Additionally, I don't do any port forwarding, so after each upgrade of Mystic I have to run: sudo setcap CAP_NET_BIND_SERVICE=+eip /mystic/mis

    I prefer to not run as root because even though it drops privileges, it
    doesn't do things like dosemu well (tries to run as ryan user but use /root/.dosemu directory).

    Also, I use 'screen' to keep the mis daemon running in full UI mode, but it's essentially background unless I attach the screen session.

    The other slight wrinkle is that if I want to shut down mis for some reason,
    I have to disable the service in systemd temporarily. That said, I still
    prefer this method of management.

    The script (/etc/systemd/system/mystic.service):
    -- snip --
    [Unit]
    Description=MysticBBS
    After=syslog.target network.target

    [Service]
    Type=forking
    ExecStart=/usr/bin/screen -d -m -S Mystic ./mis SERVER
    User=ryan
    Group=ryan
    WorkingDirectory=/mystic

    [Install]
    WantedBy=multi-user.target

    -- snip --

    Change paths, user/group info, and then shut down mis (if running). Enable
    this with
    sudo systemctl enable mystic
    Then it will auto-start on boot. Now we can actually fire it up
    sudo systemctl start mystic

    You can check on the status of it
    sudo systemctl status mystic

    And you're able to attach the screen session with
    screen -R Mystic
    ...and background the screen session with
    <ctrl>-A D

    Fun times :)

    --- Mystic BBS v1.12 A44 2020/02/04 (Linux/64)
    * Origin: monterey bbs (21:1/168)
  • From Analog@21:2/123 to ryan on Wed Feb 5 17:02:57 2020
    I prefer to not run as root because even though it drops privileges, it doesn't do things like dosemu well (tries to run as ryan user but use /root/.dosemu directory).

    Ryan,

    How do you allow MIS to bind to a priviliged port without sudo?

    |20|15┌─|16|08┤ |08De|07ad|15be|07a|08tz b|07b|15s
    |08└─┘├─┐ |08:>.|07A|08rk |0710|08:|07101|08/|0714|08.
    |04■ |08└|20|15─|16|08┘ |08:>.|10A|02gn |1046|08:|101|08/|10123|08.
    |04A|07n|15al|07o|08g |08:>.|12F|04sx |1221|08:|122|08/|12123|08. |15.|04p|07HENOM|15. |08:>.|15S|07ci |1577|08:|151|08/|15131|08. |04░▒░|08▒██▄▌|08:>.|11T|03qw |111337|08:|113|08/|1113|08.

    --- Mystic BBS v1.12 A44 2020/02/02 (Linux/64)
    * Origin: deadbeatz.org (21:2/123)
  • From ryan@21:1/168 to Analog on Wed Feb 5 18:49:21 2020
    Ryan,

    How do you allow MIS to bind to a priviliged port without sudo?

    I used setcap.

    sudo setcap CAP_NET_BIND_SERVICE=+eip /mystic/mis

    This permits the /mystic/mis application to bind to privileged ports.

    --- Mystic BBS v1.12 A44 2020/02/04 (Linux/64)
    * Origin: monterey bbs (21:1/168)
  • From Analog@21:2/123 to ryan on Wed Feb 5 21:20:15 2020
    sudo setcap CAP_NET_BIND_SERVICE=+eip /mystic/mis
    This permits the /mystic/mis application to bind to privileged ports.

    Smart man!
    I made a single exception for MIS to run as SUDO without requiring a password:
    mysticuser ALL = (root) NOPASSWD: /home/mystic/mis
    Cheers,

    |20|15┌─|16|08┤ |08De|07ad|15be|07a|08tz b|07b|15s
    |08└─┘├─┐ |08:>.|07A|08rk |0710|08:|07101|08/|0714|08.
    |04■ |08└|20|15─|16|08┘ |08:>.|10A|02gn |1046|08:|101|08/|10123|08.
    |04A|07n|15al|07o|08g |08:>.|12F|04sx |1221|08:|122|08/|12123|08. |15.|04p|07HENOM|15. |08:>.|15S|07ci |1577|08:|151|08/|15131|08. |04░▒░|08▒██▄▌|08:>.|11T|03qw |111337|08:|113|08/|1113|08.

    --- Mystic BBS v1.12 A44 2020/02/02 (Linux/64)
    * Origin: deadbeatz.org (21:2/123)
  • From ryan@21:1/168 to Analog on Wed Feb 5 20:59:31 2020
    I made a single exception for MIS to run as SUDO without requiring a password: mysticuser ALL = (root) NOPASSWD: /home/mystic/mis

    Clever! I wonder which of our methods are better? Which is more secure?

    I suppose the "most" secure method would be to run on non-privileged ports
    and do some sort of port forwarding, but that's always felt a bit ugly to me. Not sure why *shrug*

    --- Mystic BBS v1.12 A44 2020/02/04 (Linux/64)
    * Origin: monterey bbs (21:1/168)
  • From Analog@21:2/123 to ryan on Wed Feb 5 22:11:42 2020
    Clever! I wonder which of our methods are better? Which is more secure?
    I suppose the "most" secure method would be to run on non-privileged
    ports and do some sort of port forwarding, but that's always felt a bit ugly to me. Not sure why *shrug*

    I think yours is probably a safer bet as I'm not sure the impact of MIS
    spawing a mystic shell process as SUDO. It could very well allow the shell process to execute code as root. I'd hope not. I might have to test this out.

    I'm waiting for StackFault to chime in with his wisdom...

    |20|15┌─|16|08┤ |08De|07ad|15be|07a|08tz b|07b|15s
    |08└─┘├─┐ |08:>.|07A|08rk |0710|08:|07101|08/|0714|08.
    |04■ |08└|20|15─|16|08┘ |08:>.|10A|02gn |1046|08:|101|08/|10123|08.
    |04A|07n|15al|07o|08g |08:>.|12F|04sx |1221|08:|122|08/|12123|08. |15.|04p|07HENOM|15. |08:>.|15S|07ci |1577|08:|151|08/|15131|08. |04░▒░|08▒██▄▌|08:>.|11T|03qw |111337|08:|113|08/|1113|08.

    --- Mystic BBS v1.12 A44 2020/02/02 (Linux/64)
    * Origin: deadbeatz.org (21:2/123)
  • From g00r00@21:1/108 to Analog on Thu Feb 6 13:20:05 2020
    I think yours is probably a safer bet as I'm not sure the impact of MIS spawing a mystic shell process as SUDO. It could very well allow the
    shell process to execute code as root. I'd hope not. I might have to
    test this out.

    MIS will check itself and try to change ownership to whoever owns the MIS binary file after it binds the port. I don't know if that works when its configured the way you have it though.

    But when you do "sudo ./mis server" it shouldn't keep privileged access assuming your mis binary is owned by something other than root. It should immediately bind the port and drop root.

    --- Mystic BBS v1.12 A44 2020/02/04 (Linux/64)
    * Origin: Sector 7 (21:1/108)
  • From ryan@21:1/168 to g00r00 on Thu Feb 6 11:25:42 2020
    But when you do "sudo ./mis server" it shouldn't keep privileged access assuming your mis binary is owned by something other than root. It
    should immediately bind the port and drop root.

    This works but does create some weird side effects. For example, if I launch Mystic this way, and then I want to run a door that uses dosemu, it'll launch dosemu as my BBS user but it will try to access /root/.dosemu and it fails. I don't think dropping from root back to a user works as well as we'd like, and I'm inclined not to trust it just because I'm a security nerd :P

    --- Mystic BBS v1.12 A44 2020/02/04 (Linux/64)
    * Origin: monterey bbs (21:1/168)
  • From Analog@21:2/123 to g00r00 on Thu Feb 6 13:12:02 2020
    MIS will check itself and try to change ownership to whoever owns the MIS binary file after it binds the port. I don't know if that works when its configured the way you have it though.

    Yeah I'm looking at the process "mystic" spawned by MIS and it's as my non-privileged user.

    The way I allow a non sudoers user to run sudo is specific to the MIS file only. So it's fairly safe but not desireable. Ryan's approach may be more secure.


    Cheers,

    |20|15┌─|16|08┤ |08De|07ad|15be|07a|08tz b|07b|15s
    |08└─┘├─┐ |08:>.|07A|08rk |0710|08:|07101|08/|0714|08.
    |04■ |08└|20|15─|16|08┘ |08:>.|10A|02gn |1046|08:|101|08/|10123|08.
    |04A|07n|15al|07o|08g |08:>.|12F|04sx |1221|08:|122|08/|12123|08. |15.|04p|07HENOM|15. |08:>.|15S|07ci |1577|08:|151|08/|15131|08. |04░▒░|08▒██▄▌|08:>.|11T|03qw |111337|08:|113|08/|1113|08.

    --- Mystic BBS v1.12 A44 2020/02/02 (Linux/64)
    * Origin: deadbeatz.org (21:2/123)