NonRoot discussion at Hackathon - call for input
Joel Stanley
joel at jms.id.au
Tue Jan 9 09:44:17 AEDT 2018
On Tue, Jan 9, 2018 at 5:35 AM, <Michael.E.Brown at dell.com> wrote:
> Hello (again) to everybody going to the hackathon. I’m currently scheduled
> for an hour talk on Thursday on root/nonroot security.
>
>
>
> What would be the best way to make this hour the most productive hour we can
> have on this topic?
>
>
>
> My background: I led the conversion effort for Dell IDRAC to move our entire
> infrastructure away from running daemons as root, and instead run each
> daemon under a distinct user account.
Great! I have had this as a goal in mind for OpenBMC since I started
working on it.
> I provided technical backstop as
> individual teams took over the efforts for their daemons and provided
> training and design support to ensure that the effort went as smoothly as
> possible. Our currently shipping Dell IDRAC has most of this work present in
> our shipping product, with a few remaining daemons rolling into upcoming
> releases.
>
>
>
> What I might suggest would be helpful:
>
> - Slides on examples
Some documentation for others to use when adding daemons to the system
would be a great start.
>
> o Running daemon
>
> o Setting up user accounts for daemons
>
> o Setting up tmpfiles rules
>
> o Setting up DBUS security
>
> o Udev rules to set up /dev/ permissions and ownership (if needed)
>
> - Hands-on: actually hacking live on some daemons to try to get
> some converted to non-root
This hands on stuff sounds great. I am more interested in hands on
keyboards than viewing slides for our sessions this week.
Cheers,
Joel
More information about the openbmc
mailing list