OpenBMC community telecon - 11/27 Agenda

Brad Bishop bradleyb at fuzziesquirrel.com
Tue Jan 9 13:22:17 AEDT 2018 

> On Jan 8, 2018, at 11:25 AM, Michael E Brown <Michael.E.Brown at dell.com> wrote:
> 
> On Sat, Jan 06, 2018 at 12:33:26PM -0500, Brad Bishop wrote:
>> 
>>> What am I missing here? You said above, "nothing should be running as root anymore", but I very clearly see literally everything running as root. I have a feeling that I am missing something important.
>> 
>> You aren’t missing anything.  I think what Vernon meant was, in 2018, software
>> stacks should not be running everything as root.
> 
> Oh, ok, looks like I read that in a totally different way! I was starting to
> get concerned, thanks for clarifying.
> 
>> Everyone wants this, it just hasn’t been enough of a priority for anyone
>> such that it hasn’t been fixed yet.  It should have been done this way in
>> the first place.  But it wasn’t, so here we are.
> 
> So, what is the best way forward? We have a time set aside at the hackathon to
> talk about this? What is the most productive way to use that time? I would be
> happy to put together some (barebones) slides to go over what we did in our
> product to get to where we are at. We could even do live hackathon to try to
> convert some daemons. What do you think?

Thanks for leading this discussion at the hackathon.  I’d vote for trying to
convert one, or at least enumerating the steps to do it to make it easy for
the next person that spends some time on it.  I’d suggest starting out with an
application that doesn't have any user interface component, to side-step the
current discussion around linux/non-linux users.  Hwmon seems like a good
candidate.

> 
>> FWIW I did add some code to obmc-phosphor-systemd.bbclass quite some time ago
>> such that configuring a service to run as non-root is trivial, as far as systemd
>> unit and user/group database configuration goes.  It isn’t used anywhere because
>> the other side of it is writing the udev rules (or however you want to make sure
>> the devices have the correct permissions).  I also put code in
>> obmc-phosphor-dbus-service.bbclass for easy configuration of restrictive dbus
>> scope permissions that might help with that aspect as well.
> 
> That sounds like a good start.
> --
> Michael

More information about the openbmc mailing list