[Dev] Remove root privileges from daemons. - weston case

Stéphane Desneux stephane.desneux at open.eurogiciel.org
Tue Apr 15 08:51:48 GMT 2014


Hi Bartłomiej,

Thanks for sending this.


I'd like to share the work we've done in the case of weston these
last days. We managed to have weston run as a system daemon without root
account.

In the recent Tizen:Common wayland images (for example here [1]), we run
weston in the following conditions:
- started by systemd (system) outside user sessions
- with a system user 'display' and system group 'display' (no root)
- on tty7 (X nostalgia :-) but also to see messages on tty1!) - of
course, we can revert to tty1...
- without weston-launch (no step as root, no pending
process, no extra PAM session)
- the compositor is shared by multiple users
- thus any user or daemon being in the group 'display' can be a weston
client and show something on the screen. The trick is to do a symbolic
link into the user's XDG_RUNTIME_DIR to the real weston socket (in
/run/display/) Also, weston could be modified to handle this without tricks.

Security (WIP, not finalized yet):
- granular permissions have been set on devices needed by weston:
(/dev/dri/*, /dev/tty7, /dev/input/event*) by extra udev rules which set
DAC and SMACK labels '*'
- the wayland socket in /run/display/ is writable by the group 'display'
and has a SMACK label '*'
- real users must be in the group 'display' to be able to open a wayland
connection

With the recent upgrade to kernel 3.14, weston now works also in multi
screen. Handling multiple users on the same screen or on multiple
screens is another topic: the weston shell should be responsible for
assigning users to physical displays (seats) and/or decide to share a
given screen between users. Everything depends on the wanted policy and
the use cases.

I'll check if our setup meets the guidelines you're actually
constructing on the wiki.

Meanwhile, dear devlist, your feedback may be interesting.

Best regards,
Stéphane

[1]
http://download.tizen.org/snapshots/tizen/generic/generic-wayland-x86_64/tizen_20140414.7/images/generic-qa-unsafe-wayland-mbr-x86_64/

-- 
Stéphane Desneux
Intel OTC - Vannes/FR
gpg:1CA35726/DFA9B0232EF80493AF2891FA24E3A2841CA35726

On 14/04/2014 16:20, Bartlomiej Grzelewski wrote:
> Dear all,
> 
> My team was asked to reduce number of process with root privileges. We
> prepared wiki pages that points tools and describe process of daemon
> analysis.
> 
> https://wiki.tizen.org/wiki/Security:Analysing_security_privileges_of_tizen_
> services
> https://wiki.tizen.org/wiki/Security:Capable_Probe_Module
> 
> Pages are being constructed, but is highest time to share and probably start
> a discussion.
> 
> Best regards,
> --
> Bartłomiej Grzelewski
> Samsung R&D Institute Poland
> Samsung  Electronics
> 
> 
> _______________________________________________
> Dev mailing list
> Dev at lists.tizen.org
> https://lists.tizen.org/listinfo/dev
> 


More information about the Dev mailing list