Main network service 'python3' runs with root-privileges at the HAOS host

Seed1984 · July 26, 2024, 2:01pm

Hi there,

first of all, I miss the “Security” category in this forum.

As being an ISO I’m looking into things differently, in comparison to others. While most tech people are already happy, that things are working, it might be time to take a step further and to look if things work securely.
One thing in modern network service design is to avoid using root privileges at all costs. It’s, because a crash of that process could lead to a possible breach-in with root privileges. So if someone breaks that ‘pyhton3’ process in HAOS, he’s in full control of that box, all the docker containers inclusively. There is no doubt, that complex web interfaces/GUIs have exploitable flaws.

Today I found out, that the main HomeAssistant network service ‘python3’ is running with root privileges on the HAOS host side (outside of docker). It seems to be a quite bad design decision, in the light of aforementioned. While all other things run in dockerized compartments safe and sound, this very important network service is running with the most privileges possible outside of any container.

First, I suggest, not to run that main network service with root privileges. It should drop to something similar to “www-data”. That approach is good practice and well known.

We could then use a nginx as reverse proxy in front of that process. It might catch some odd byte games here, before those reach the python process.

Manuel

Tinkerer · July 26, 2024, 2:22pm

The main HA python3 service runs in Docker.

You can add that if you want, and lots of people do (or use another reverse proxy) for remote access.

Seed1984 · July 26, 2024, 11:11pm

Are you sure on that?

I logged into the host, port 22222 and can manage docker containers off from there.
Btw, I just installed the portainer agent, to have another view on the HAOS docker environment. That makes me sure, to be on the host side.

# netstat -lptnu|grep 8123
tcp        0      0 0.0.0.0:8123            0.0.0.0:*               LISTEN      2776/python3
tcp        0      0 :::8123                 :::*                    LISTEN      2776/python3

The port is not mapped to ‘docker-proxy’.

# ps -f -p 2776
UID          PID    PPID  C STIME TTY          TIME CMD
root        2776    2774  4 Jul12 ?        17:04:55 python3 -m homeassistant --config /config

Manuel

Seed1984 · July 26, 2024, 11:17pm

The idea is to improve the situation for the average user, means having that as default.

Tinkerer · July 29, 2024, 9:39am

Yes

The command you’re running can see the processes inside the containers, and host networking means that processes in the containers are “attached” to the host network - so you get exactly what you’re seeing.

Feel free to post a feature request (on this forum) or develop that change.