OPNsense Forum
English Forums => General Discussion => Topic started by: csmall on April 24, 2020, 03:35:49 am
-
I read that pfsense runs the web interface and php as root.
With opnsense being a fork of pfsense, does it also do this?
Pfsense gave me an explanation the other day of basically it is a big effort and massive undertaking to change this.
I believe this is true, but my question is how much does it matter? My understanding is that best practice is to never do this. But yet, it is still accepted I guess with the idea that because the webui isn't accessible to the internet by default that it isn't a real risk.
What does opnsense do and if it runs these services as root, what is the reasoning?
-
The reason is quickly explained:
It runs commands and writes files that need root permissions. OPNsense has configd, so new code could also run with user permissions but the code left from pfSense does not. The service acts like a sudo command.
-
Opinion of trust in PHP is still pretty bad although version 7 has come a long way in this regard.
The initial design of m0n0wall was to run scripts from PHP, which needed root rights to configure the system. This was inherited by the later forks and more and more functionality was added...
pfSense also has a background daemon but not to reach the goal of privilege separation. It exists to run background tasks away from PHP to unblock the GUI.
Our configd works in the same way, but was also aimed at privilege separation with background tasks being added for all kinds of services that existed previously, but not yet all of them.
In theory all the new MVC functionality supports privilege separation in this way, but is pointless to employ unless we remove the very last command execution from the inherited PHP code.
Given the adoption rate of m0n0wall, pfSense and OPNsense I think the PHP in root is not the biggest issue in the world and its exploit count has been manageable so far. But that is just my opinion.
Cheers,
Franco
-
Thank you both for the clarification.