Uploaded image for project: ' AGL Development'
  1. AGL Development
  2. SPEC-545

Platform services must NOT run as root and MUST use a dedicated system user

XMLWordPrintable

      Most (all?) system daemons should run with a dedicated user and optionally a dedicated group and SMACK label.
      Also, the service should be run with a minimal set of capabilities(7).

      For more information, check the security blueprint

      Daemons to secure include (list is not exhaustive and may depend on profiles):

      • weston / weston-keyboard
      • dbus
      • journald/syslogd/klogd
      • bluez
      • ofono
      • connman + WPA supplicant
      • neard (NFC)
      • pulseaudio (depending on it's in the user session or not)
      • AudioManager + DLT (still used ?)
      • security-manager (if not removed)
      • lightmediascanner / rygel
      • MostNetworkManager

      Inidividual issues (subtasks) should be created for each case.

        1. Securing_Daemons_SPEC-545.pdf
          89 kB
        1.
        		 Run weston with dedicated 'display' user and group Sub-task Closed jose bollo
        2.
        		 security-manager run as not root Sub-task Closed jose bollo
        3.
        		 user applications must not run as root Sub-task Closed jose bollo
        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

            jobol-iot jose bollo
            sdesneux Stephane Desneux
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: