2

I have a small OpenWRT router, on which I wish to run a daemon which is a python script. However, even though it is open-source and plain Python, I still don't trust it and I would like to isolate it from the rest of the system as much as possible. It has to do the following:

  • Bind and listen on a single TCP port
  • Read/write some files in its working directory

Apart from that, it should not be able to do anything. I've thought of doing the following:

  • Start a wrapper script as root, bind the port, then drop group membership and drop into a new user before importing and executing the actual script
  • Run it in chroot

Did I miss anything that would help to make it run more securely?

Improve this question
1
  • 3
    If it's not a long script, your best bet would be to get someone who knows python to look over it.
    – tlng05
    CommentedJan 1, 2015 at 21:23

2 Answers 2

Reset to default
2

Here are some things I would consider:

  • Review the code
  • Create a new unprivileged user and use that to run the script (on a port higher than 1023) and use IPtables to redirect low-port traffic to your high-port.
  • Look at something like resource controls to prevent the user/script from tying up resources (like opening up a million file handles)

Chroot and dropping privileges are also good options, provided you are keeping your host OS patched.

Improve this answer
    1

    Chroot and dropping privileges is a sensible approach. To correct your description a bit:

    1. As root, chroot into a directory tree containing only the minimum necessary.
    2. As root, bind the port, if it's below 1024. Software like tcpd can be useful at that stage. Note that for ports above 1024, you don't need to do the binding as root.
    3. Drop privileges, i.e. change to a dedicated group then change to a dedicated user.
    4. Execute (as in execve in C or exec in shell) the Python script.

    A useful additional security step would be to restrict the network access by the dedicated script. For example, you may want to prevent it from listening on other ports or opening outgoing connections to phone home. Of course how much you can limit it and still let it do its job depends on what it's supposed to do. Linux can restrict the network access by user ID with iptables -m owner (example).

    Linux offers additional security mechanisms (namespaces, SELinux, AppArmor, etc.), and running in a virtual machine would add another layer of security, but these are not likely to be available on an embedded system with few resources such as a small router.

    For additional security, you could run a sandboxed Python — but there doesn't appear to be a working Python sandbox at this time.

    Improve this answer

      You must log in to answer this question.

      Start asking to get answers

      Find the answer to your question by asking.

      Ask question

      Explore related questions

      See similar questions with these tags.