[Dev] processes running as root
stephane.desneux at open.eurogiciel.org
Tue Aug 12 13:08:54 GMT 2014
As Casey and Carsten said: things are not black and white... but simply
gray :) We *try* to reduce the daemons running as root as much as
possible. But it's not an absolute rule.
Sometimes, it's possible to migrate a daemon from root to <some system
user> without much difficulties. A good example is weston in
Tizen:Common: it runs as a 'display' user, who has the proper rights on
the DRM and input devices.
For some other daemons, it can become more tricky.
If I take a quick look on a recent Tizen:Common snapshot, I can see that
there are some daemons running as root, as you noticed:
root 159 1 0 03:22 ? 00:00:00 /usr/sbin/ofonod -n
root 161 1 0 03:22 ? 00:00:00 /usr/bin/alarm-server
root 168 1 0 03:22 ? 00:00:00 /usr/sbin/connmand -n
root 172 1 0 03:22 ? 00:00:00 /usr/bin/security-server
root 173 1 0 03:22 ? 00:00:00 /usr/bin/media-server
root 175 1 0 03:22 ? 00:00:00
root 239 1 0 03:22 ? 00:00:00 /lib/bluetooth/bluetoothd -E
root 344 1 0 03:22 ? 00:00:00 /usr/sbin/wpa_supplicant -u
root 1037 173 0 03:23 ? 00:00:00 media-thumbnail-server
In this list, I see 3 categories:
- some daemons can very probably run as system users (media-server,
media-thumbnail-server, ofonod, alarm-server), if we're able to define
the appropriate rights
- for network and connectivity daemons (connmand, wpa_supplicant,
bluetoothd), it may be more tricky to migrate to non-root users, but
this needs some investigation
- some services need to run as root (security-server AFAIK)
As Casey pointed, migrating from root to system users for some daemons
is an ongoing effort.
Intel OTC - Vannes/FR
On 11/08/2014 17:27, Valentina Giusti wrote:
> Hi Tizen developers!
> according to the wiki page
> https://wiki.tizen.org/wiki/Security:SmackThreeDomainModel, in Tizen 3.0
> there are processes running as root. In the AMD Multi-User wiki page it
> even says that the AMD daemon runs "as root as in single user mode".
> During the workshop in Vannes last week, I got the impression (or at
> least I wrote so in my notes) that no process in Tizen is allowed to run
> as root: at most, processes can be run as setuid root for a limited
> period of time.
> Are my notes from the workshop valid or is it actually true that some
> processes are run as root?
> Best Regards,
> - Valentina Giusti
> Dev mailing list
> Dev at lists.tizen.org
More information about the Dev