Sobby (the Gobby server) runs as root by default

Bug #594857 reported by Jeff Lane on 2010-06-15
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sobby (Ubuntu)
Wishlist
Philipp Kern

Bug Description

Binary package hint: sobby

This was asked on the ubuntu-users mailing list: https://lists.ubuntu.com/archives/ubuntu-users/2010-June/221209.html

To check this, I installed sobby and this was what I found:

Immediately after installation
bladernr@klaatu:~/.xchat2/xchatlogs$ ps aux |grep sobby
root 13000 0.0 0.0 62828 3588 ? S 17:52 0:00 /usr/bin/sobby

And a restart...
bladernr@klaatu:~/.xchat2/xchatlogs$ sudo service sobby restart
 * Stopping sobby [ OK ]
 * Starting sobby [ OK ]
bladernr@klaatu:~/.xchat2/xchatlogs$ ps aux |grep sobby
root 13555 3.0 0.0 62828 3580 ? S 18:02 0:00 /usr/bin/sobby

I'm not sure what the compromise potential is for sobby, but I really do NOT like services like this running as root. Am I crazy, or shouldn't sobby be running as a non-privileged user like other internet accessible services?

ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: sobby 0.4.5-1ubuntu2
ProcVersionSignature: Ubuntu 2.6.32-22.36-generic 2.6.32.11+drm33.2
Uname: Linux 2.6.32-22-generic x86_64
NonfreeKernelModules: nvidia
Architecture: amd64
Date: Tue Jun 15 18:00:48 2010
InstallationMedia: Ubuntu 9.10 "Karmic Koala" - Release amd64 (20091027)
ProcEnviron:
 LANG=en_US.utf8
 SHELL=/bin/bash
SourcePackage: sobby

Jeff Lane (bladernr) wrote :
Steve Beattie (sbeattie) wrote :

Agreed that sobby should not run as root; another useful thing to do would be to develop an AppArmor profile for it.

Changed in sobby (Ubuntu):
status: New → Confirmed
importance: Undecided → Wishlist
visibility: private → public
Philipp Kern (pkern) wrote :

FWIW, that's the reason I rejected the init script in Debian. Of course it's not that difficult to create a seperate user for it in the maintainer script, but nobody did that yet.

Philipp Kern (pkern) wrote :

I think calling it a security vulnerability is too harsh, there hasn't been any exploit in Sobby until now. It's unnecessary, though. I'll take care of it in Debian by providing an init script that uses a system user for Sobby, with proper usage of session serialization too.

Changed in sobby (Ubuntu):
assignee: nobody → Philipp Kern (pkern)
Philipp Kern (pkern) wrote :

Fix uploaded to Debian unstable.

Changed in sobby (Ubuntu):
status: Confirmed → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sobby - 0.4.7-2

---------------
sobby (0.4.7-2) unstable; urgency=low

  * Add an init script by adapting an initial proposal by Dustin Kirkland.
    (Closes: #586329, #405915)
  * Create sobby system user and group in postinst and delete them on
    purge. (LP: #594857)
  * Added a NEWS entry about the init script.
 -- Philipp Kern <email address hidden> Tue, 22 Jun 2010 17:54:46 +0100

Changed in sobby (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers