#2362 koji-utils: running services/crons by non-root(standalone) users
Opened 2 years ago by julian8628. Modified 2 years ago

this is from https://pagure.io/koji/issue/2315#comment-659421


A note about security here- I don't want to run koji-gc as root, because we run far too many things as root already in Koji. But the systemd files from #2199 do run it as root currently. Eventually I would like to use a dedicated unprivileged "koji-gc" UID or something. Maybe now is the time to land such a change in Koji before it's too hard for the user community to migrate to a non-root UID.

kojira and koji-gc were the two obvious candidates to me as, and maybe there are others.

Eventually I would like to implement the systemd hardening steps described at https://www.ctrl.blog/entry/systemd-opensmtpd-hardening.html and possibly look at running these services confined with SELinux.

Login to comment on this ticket.