mpd runs as root

[greg-macports@…]

I just installed mpd (@0.15.8_0+macosx) and followed the advice for getting launchd to run it. To my surprise, the mpd daemon runs as root. This is a security problem, because it means that a security bug in mpd could escalate and compromise the whole system. If mpd had its own user, then such bugs would only affect mpd itself (and any files that can be written by the mpd user).

[greg-macports@…]

Cc Me!

[greg-macports@…]

Sorry, forgot to mention: this is on OS X 10.5.8, MacPorts 1.8.2.

[rmsfisher@…]

If you can devise a method to run mpd as its own user with the following conditions, I would be glad to reduce its privileges:

• The user name and/or UID should avoid conflicting with an existing user name and or UID.
• Uninstalling or deactivating mpd should remove the user from the system.
• The user should have read access to locations symlinked in /opt/local/var/lib/mpd/music
• The user should have write access in /opt/local/var/lib/mpd/playlists and /opt/local/var/log/mpd
• The launchctl plist should be run with no dependence on any other GUI or CLI user being logged in

Do those criteria seem fair?
If you can come up with a patch which meets those requirements I'd be happy to test and implement it.

[milosh@…]

I had a look at mysql-server and postgresql-server ports. We can indeed create a new user and make the startupitem use this user. The only undoable thing is "Uninstalling or deactivating mpd should remove the user from the system." as macports still has no "post-deactivate" hooks. Do you consider having a unused "_mpd" user a big problem?

[greg-macports@…]

Replying to milosh@…:

I had a look at mysql-server and postgresql-server ports. We can indeed create a new user and make the startupitem use this user. The only undoable thing is "Uninstalling or deactivating mpd should remove the user from the system." as macports still has no "post-deactivate" hooks. Do you consider having a unused "_mpd" user a big problem?

I would say, if the mysql and postgres ports do it, it must be OK. Failing to cleanup the dedicated user has a subtle benefit: any files owned by that user and left behind after deactivating the mpd port are still owned by that user. If I want to remove the user, that ought to be my business.

Also: I would suspect that anyone clueful enough to be using MacPorts is probably clueful enough to remove an unneeded user.

[diane@…]

Hi, I tried using the mpd.diff patch on OS X 10.6.3 and ran into a couple of problems. the minor issue was the patch by default ended up creating a user with a uid > 500 which I think is supposed to be for real users instead of daemons. (In trying to diagnose the following problem I deleted the default user and created a new one with a user and group ID < 500 using dscl.

The more important problem is that I kept getting error Bug: launchd_core_logic.c:1685 (24003):22

with the patched mpd.wrapper script when using su _mpd -c "[mpd command line]", then I changed the script to sudo -u _mpd [mpd command line] which worked.

[artkiver (グレェ)]

Any update on this? Running as root is a glaring security issue that should be rectified; can we get this diff hammered out?

[sinuhet.merlin@…]

Cc Me!

[rmstonecipher@…]

Cc Me!

[gward (Greg Ward)]

Finally getting back to this after many months. Sorry for the delay. (I got distracted by installing Linux on the Mac in question.)

Anyways: I'm not expert enough with macports yet to simply apply the patch and rebuild the package, but I tried out the *idea* by hacking the launchd properties file for mpd to use "su mpd -c ..." as the patch would have it.

That fixes *this* bug, i.e. mpd no longer runs as root. But it leaves an su process between launchd and mpd, so "launchctl unload -w ..." is unable to kill mpd. ;-(

So what I've done instead is add

user                    "mpd"

to /opt/local/etc/mpd.conf. That is, let launchd run mpd as root, but make sure that it switches to its own user on startup.

In a nutshell: I think most of the patch uploaded by milosh makes sense; the mpd port still needs to create an mpd user at installation time. But I would suggest letting mpd change its own user rather than trying to trick launchd into calling su to do it. Too complicated.

[jmroot (Joshua Root)]

r78140