I’m showing you that the script starts as root in systemd, then we switch user. You can trivially change the user in the systemd unit, but then you’ll need to take care of some things. Most significantly.
- Ensure that apt-pkg runs as a privileged context in the add-on [1]
- Ensure hostname / timezone updates can be made as a regular user [2]
- Ensure updater (manual-update) segment can run [3]
Not actually that bad. This won’t protect against the many other ways of escalating privileges though.
- Allowing apt-pkg to run as OSMC user will allow access to the entire filesystem.
- Allowing hostname / timezone / updates requires access to files in /etc
- Ensuring manual update can run as OSMC has two potential issues:
- APT can access entire filesystem again, writing where and what it wants
- You would have to allow OSMC to have systemctl stop/start control which introduces problems of its own.
What this change does, is shift the OSMC user from requesting privileges to granting them unconditionally. This is inherently more dangerous in my eyes, as the former can be controlled more appropriately with policy.
[1] osmc/package/mediacenter-addon-osmc/src/script.module.osmcsetting.updates at master · osmc/osmc · GitHub
[2] osmc/package/mediacenter-osmc/patches at master · osmc/osmc · GitHub (see all series)
[3] See systemctl start manual-update in watchdog script.
Splitting this to a new topic.