!vVtVcVdzAdhGFLzFwm:matrix.org

Yggdrasil

421 Members
Experimental end-to-end encrypted IPv6 overlay network — https://yggdrasil-network.github.io — https://github.com/yggdrasil-network/yggdrasil-go — English language only, off-topic → #yggdrasil-community:matrix.org88 Servers

Load older messages


SenderMessageTime
23 Sep 2021
@vikulin:matrix.orgvikulin * To overcome this I'm updating config in memory through the admin interface. default config is being read while service start and is getting updated in memory by GUI app after this that's all18:09:49
@neilalexander:neilalexander.devneilalexander It feels like it is probably safer for Yggdrasil itself to drop permissions after startup, but that rather restricts us from ever being able to reconfigure tun in the future after startup for example, and still needs some effort to find out what is safe for different platforms 18:10:47
@tomz:matrix.orgtomzBut I would suggest you don't worry about these things in the level you seem to worry about, this is the responsibility of the distro's. The network target was changed in a major version of debian one or two versions ago. As I package my software for 5 years already, I went through that pain. But this simply means a SED line to change it for that specific distro version. Not your problem.18:11:13
@neilalexander:neilalexander.devneilalexanderWell, it’s “not our problem” when distributions have their own packages for Ygg ;-)18:11:37
@neilalexander:neilalexander.devneilalexander AFAIK most distributions don’t 18:11:42
@tomz:matrix.orgtomzoh, I installed mine from the distro18:11:59
@Arceliar:matrix.orgArceliarFWIW, i'd like to switch to running ygg as a non-root user over systemd (and dropping permissions if ygg does run as root for whatever reason), but there's a few details that still need figuring out18:13:37
@Arceliar:matrix.orgArceliarso i'd vote to keep that PR open for now18:13:57
@neilalexander:neilalexander.devneilalexander It seems like if nothing else, we can add a command line flag for a “hardened” mode which only accepts config by stdin and drops privileges and doesn’t allow runtime configuration changes to tun (in the future) or something, or do that by default and have a flag to stay as root, or whatever 18:14:32
@neilalexander:neilalexander.devneilalexander * It seems like if nothing else, we can add a command line flag for a “hardened” mode which only accepts config by stdin and drops privileges and doesn’t allow runtime configuration changes to tun (in the future) or something, or do that by default and have a flag to stay as root, or whatever 18:14:35
@tomz:matrix.orgtomznot sure why config from stdin would be more safe. Easier to just split the config into 2 files; the operator configurated part and separately the private key. This means that the operator config can be changed by a generic admin and thus does not need permissions to read (world readable).18:17:46
@tomz:matrix.orgtomz * not sure why config from stdin would be more safe. Easier to just split the config into 2 files; the operator configurated part and separately the private key. This means that the operator config can be changed a generic admin and thus does not need permissions to read (world readable).18:17:57
@tomz:matrix.orgtomzthe private key then you can just make owned by the yggdrasil user, which also runs the executable18:18:32
@tomz:matrix.orgtomznaturally, if a user starts things manually (as root or whatever) they will need to have read rights on those files, so the stand-alone type doesn't change with such a split.18:19:27
@tomz:matrix.orgtomz * not sure why config from stdin would be more safe. Easier to just split the config into 2 files; the operator configurated part and separately the private key. This means that the operator config can be changed by a generic admin and thus does not need permissions to read (world readable).18:20:35
@_neb_github_=40neilalexander=3amatrix.org:matrix.orgGithub [@neilalexander:matrix.org] [yggdrasil-network/yggdrasil-go] vladns opened issue #843: How do I set up radvd correctly? [open] - https://github.com/yggdrasil-network/yggdrasil-go/issues/843 19:55:59
@_xmpp_adbenitez=40movim.eu:matrix.orgadb2 changed their display name from adb to adbenitez.21:22:24
@_xmpp_adbenitez=40movim.eu:matrix.orgadb2 left the room.21:22:25
@_xmpp_adbenitez=40movim.eu:matrix.orgadb2 joined the room.21:22:25
@nrl^:libera.chatnrl^ joined the room.22:01:17
@robertfoss:matrix.orgrobertfoss joined the room.22:30:54
@nrl^:libera.chatnrl^ left the room.22:43:26
@nrl^:libera.chatnrl^ joined the room.22:50:31
@_xmpp_adbenitez=40movim.eu:matrix.orgadb2 changed their display name from adb to adbenitez.22:51:18
@_xmpp_adbenitez=40movim.eu:matrix.orgadb2 left the room.22:51:19
@_xmpp_adbenitez=40movim.eu:matrix.orgadb2 joined the room.22:51:20
@_xmpp_adbenitez=40movim.eu:matrix.orgadb2 changed their display name from adb to adbenitez.22:54:00
@_xmpp_adbenitez=40movim.eu:matrix.orgadb2 changed their display name from adbenitez to adb2.22:54:01
24 Sep 2021
@_xmpp_adbenitez=40movim.eu:matrix.orgadb2 changed their display name from adb2 to adbenitez.00:15:33
@_xmpp_adbenitez=40movim.eu:matrix.orgadb2 changed their display name from adbenitez to adb2.00:15:35

There are no newer messages yet.


Back to Room List