NonRoot discussion at Hackathon - call for input

Joel Stanley joel at jms.id.au
Tue Jan 9 09:44:17 AEDT 2018


On Tue, Jan 9, 2018 at 5:35 AM,  <Michael.E.Brown at dell.com> wrote:
> Hello (again) to everybody going to the hackathon. I’m currently scheduled
> for an hour talk on Thursday on root/nonroot security.
>
>
>
> What would be the best way to make this hour the most productive hour we can
> have on this topic?
>
>
>
> My background: I led the conversion effort for Dell IDRAC to move our entire
> infrastructure away from running daemons as root, and instead run each
> daemon under a distinct user account.

Great! I have had this as a goal in mind for OpenBMC since I started
working on it.

> I provided technical backstop as
> individual teams took over the efforts for their daemons and provided
> training and design support to ensure that the effort went as smoothly as
> possible. Our currently shipping Dell IDRAC has most of this work present in
> our shipping product, with a few remaining daemons rolling into upcoming
> releases.
>
>
>
> What I might suggest would be helpful:
>
> -          Slides on examples

Some documentation for others to use when adding daemons to the system
would be a great start.

>
> o   Running daemon
>
> o   Setting up user accounts for daemons
>
> o   Setting up tmpfiles rules
>
> o   Setting up DBUS security
>
> o   Udev rules to set up /dev/ permissions and ownership (if needed)
>
> -          Hands-on: actually hacking live on some daemons to try to get
> some converted to non-root

This hands on stuff sounds great. I am more interested in hands on
keyboards than viewing slides for our sessions this week.

Cheers,

Joel


More information about the openbmc mailing list