sudo setcap CAP_NET_BIND_SERVICE=+eip /mystic/mis
This permits the /mystic/mis application to bind to privileged ports.

Smart man!
I made a single exception for MIS to run as SUDO without requiring a password:
mysticuser ALL = (root) NOPASSWD: /home/mystic/mis
Cheers,

|20|15ÚÄ|16|08´ |08De|07ad|15be|07a|08tz b|07b|15s
|08ÀÄÙÃÄ¿ |08:>.|07A|08rk |0710|08:|07101|08/|0714|08.
|04þ |08À|20|15Ä|16|08Ù |08:>.|10A|02gn |1046|08:|101|08/|10123|08.
|04A|07n|15al|07o|08g |08:>.|12F|04sx |1221|08:|122|08/|12123|08. |15.|04p|07HENOM|15. |08:>.|15S|07ci |1577|08:|151|08/|15131|08. |04°±°|08±ÛÛÜÝ|08:>.|11T|03qw |111337|08:|113|08/|1113|08.

--- Mystic BBS v1.12 A44 2020/02/02 (Linux/64)
* Origin: deadbeatz.org (21:2/123)

I made a single exception for MIS to run as SUDO without requiring a password: mysticuser ALL = (root) NOPASSWD: /home/mystic/mis

Clever! I wonder which of our methods are better? Which is more secure?

I suppose the "most" secure method would be to run on non-privileged ports
and do some sort of port forwarding, but that's always felt a bit ugly to me. Not sure why *shrug*

--- Mystic BBS v1.12 A44 2020/02/04 (Linux/64)
* Origin: monterey bbs (21:1/168)

Clever! I wonder which of our methods are better? Which is more secure?
I suppose the "most" secure method would be to run on non-privileged
ports and do some sort of port forwarding, but that's always felt a bit ugly to me. Not sure why *shrug*

I think yours is probably a safer bet as I'm not sure the impact of MIS
spawing a mystic shell process as SUDO. It could very well allow the shell process to execute code as root. I'd hope not. I might have to test this out.

I'm waiting for StackFault to chime in with his wisdom...

|20|15ÚÄ|16|08´ |08De|07ad|15be|07a|08tz b|07b|15s
|08ÀÄÙÃÄ¿ |08:>.|07A|08rk |0710|08:|07101|08/|0714|08.
|04þ |08À|20|15Ä|16|08Ù |08:>.|10A|02gn |1046|08:|101|08/|10123|08.
|04A|07n|15al|07o|08g |08:>.|12F|04sx |1221|08:|122|08/|12123|08. |15.|04p|07HENOM|15. |08:>.|15S|07ci |1577|08:|151|08/|15131|08. |04°±°|08±ÛÛÜÝ|08:>.|11T|03qw |111337|08:|113|08/|1113|08.

--- Mystic BBS v1.12 A44 2020/02/02 (Linux/64)
* Origin: deadbeatz.org (21:2/123)

I think yours is probably a safer bet as I'm not sure the impact of MIS spawing a mystic shell process as SUDO. It could very well allow the
shell process to execute code as root. I'd hope not. I might have to
test this out.

MIS will check itself and try to change ownership to whoever owns the MIS binary file after it binds the port. I don't know if that works when its configured the way you have it though.

But when you do "sudo ./mis server" it shouldn't keep privileged access assuming your mis binary is owned by something other than root. It should immediately bind the port and drop root.

--- Mystic BBS v1.12 A44 2020/02/04 (Linux/64)
* Origin: Sector 7 (21:1/108)

But when you do "sudo ./mis server" it shouldn't keep privileged access assuming your mis binary is owned by something other than root. It
should immediately bind the port and drop root.

This works but does create some weird side effects. For example, if I launch Mystic this way, and then I want to run a door that uses dosemu, it'll launch dosemu as my BBS user but it will try to access /root/.dosemu and it fails. I don't think dropping from root back to a user works as well as we'd like, and I'm inclined not to trust it just because I'm a security nerd :P

--- Mystic BBS v1.12 A44 2020/02/04 (Linux/64)
* Origin: monterey bbs (21:1/168)

MIS will check itself and try to change ownership to whoever owns the MIS binary file after it binds the port. I don't know if that works when its configured the way you have it though.

Yeah I'm looking at the process "mystic" spawned by MIS and it's as my non-privileged user.

The way I allow a non sudoers user to run sudo is specific to the MIS file only. So it's fairly safe but not desireable. Ryan's approach may be more secure.


Cheers,

|20|15ÚÄ|16|08´ |08De|07ad|15be|07a|08tz b|07b|15s
|08ÀÄÙÃÄ¿ |08:>.|07A|08rk |0710|08:|07101|08/|0714|08.
|04þ |08À|20|15Ä|16|08Ù |08:>.|10A|02gn |1046|08:|101|08/|10123|08.
|04A|07n|15al|07o|08g |08:>.|12F|04sx |1221|08:|122|08/|12123|08. |15.|04p|07HENOM|15. |08:>.|15S|07ci |1577|08:|151|08/|15131|08. |04°±°|08±ÛÛÜÝ|08:>.|11T|03qw |111337|08:|113|08/|1113|08.

--- Mystic BBS v1.12 A44 2020/02/02 (Linux/64)
* Origin: deadbeatz.org (21:2/123)