Notes from Non-root presentation/demo

[Michael.E.Brown at dell.com]

Here are the notes from the non-root presentation that we did last week.

TODO: send doc patches. (AI: Michael)

Phosphor-systemd bbclass - ties together these steps. Need more info here.
Add snippet to add udev rule for group ownership.

Overall:

-          Every daemon should run as its own user

-          Use common group ownership to control access to files that must be accessed by multiple daemons

-          Usually don't need to use ACLs, if you think you need them, probably should rethink things

-          Use group owner on /dev/ entries to control which daemons can open which hardware

-          Udev usually has "reasonable" ownership groups that you can use. Slightly prefer just using those unless they are grossly inappropriate. (less work)

-          Use udev rule addons to adjust group/owner for dev entries if absolutely necessary

-          For network listening daemons: use the systemd port units to let systemd listen for you. (systemd socket activation)

-          Use systemd-tmpfiles to set up runtime paths with the correct permissions

-          Use useradd-staticids bbclass to add users

Code:

-          "most" code doesn't need to change. Except for daemons that do interesting things like listen on network ports. Use socket activation there

-          Use systemd bus activation for dbus services, where possible

-          Use systemd to specify user to run as, where possible. This means that your code can't have any vulnerabilities before you drop root because it's never root.

-          Use systemd daemon model (don't fork). Makes debugging easier.

-          System calls that are likely to fail when you switch from root to non-root: open(), access(), stat()

o   Grep for open and variants to prep

Implementation

-          Run service from command line: strace -o /tmp/output.txt -f /path/to/service -service-options

-          Look through output.txt to see failing system calls


Putting it in the build:

-          Add user in recipe
# users and group for the Policy Daemons
GROUPADD_PARAM_${PN} = " -o -g 974 policy "
USERADD_PARAM_${PN} = "-u 987 -M -s /bin/false -o -g policy policyd"


-          Update systemd service file
User=policyd
Group=policyd
SupplementaryGroups=foo bar baz


-          Add systemd-tmpfiles

-          Add udev rules if necessary

-          PROFIT

Project ideas:

-          Non-root working group?

-          Requirements for all new daemons to be non-root before acceptance?

-          Remediation ideas for current code?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20180115/2603e2c9/attachment.html>