Multi-user agent hardening

[copumpkin]

I'm not sure how feasible this is, but judging by the pf.conf documentation, it should be possible to restrict access to 169.254.169.254 based on user. My concern is just that any multi-user Mac (do people actually do that?? this is mostly a theoretical concern for me) would allow users to impersonate the IAM role of the hologram user.

Possible approaches, from easier to harder:

1. Just configure pfctl to prevent anyone but the hologram user from touching 169.254.169.254
2. Perhaps pfctl is fancy enough to allow fancy rules that redirect to different ports based on user: in that case, we could actually support a proper multi-user hologram where each user gets redirected to a port that serves up different credentials.

On linux agents, the --uid-owner iptables flag allows us to do similar fanciness, and is probably more of a concern since multi-user linux boxes are more common.

[gaylatea]

Oh my how I'd love to implement something like this. I didn't know that there were options on OS X and Linux to do per-user port redirection. I don't think many people do multi-user Macs - it's certainly not anything I've ever seen anywhere I've worked.

However, I wonder if this can also be used to allow us to run the agent on something other than port 80, which would allow us to not have to run it as root.