OpenBMC community telecon - 11/27 Agenda

[Michael E Brown]

On Sat, Jan 06, 2018 at 12:33:26PM -0500, Brad Bishop wrote:
> 
> > What am I missing here? You said above, "nothing should be running as root anymore", but I very clearly see literally everything running as root. I have a feeling that I am missing something important.
> 
> You aren’t missing anything.  I think what Vernon meant was, in 2018, software
> stacks should not be running everything as root.

Oh, ok, looks like I read that in a totally different way! I was starting to
get concerned, thanks for clarifying.

> Everyone wants this, it just hasn’t been enough of a priority for anyone
> such that it hasn’t been fixed yet.  It should have been done this way in
> the first place.  But it wasn’t, so here we are.

So, what is the best way forward? We have a time set aside at the hackathon to
talk about this? What is the most productive way to use that time? I would be
happy to put together some (barebones) slides to go over what we did in our
product to get to where we are at. We could even do live hackathon to try to
convert some daemons. What do you think?

> FWIW I did add some code to obmc-phosphor-systemd.bbclass quite some time ago
> such that configuring a service to run as non-root is trivial, as far as systemd
> unit and user/group database configuration goes.  It isn’t used anywhere because
> the other side of it is writing the udev rules (or however you want to make sure
> the devices have the correct permissions).  I also put code in
> obmc-phosphor-dbus-service.bbclass for easy configuration of restrictive dbus
> scope permissions that might help with that aspect as well.

That sounds like a good start.
--
Michael