[Dev] processes running as root

Stéphane Desneux stephane.desneux at open.eurogiciel.org
Tue Aug 12 13:08:54 GMT 2014


Hi Valentina,

As Casey and Carsten said: things are not black and white... but simply
gray :) We *try* to reduce the daemons running as root as much as
possible. But it's not an absolute rule.

Sometimes, it's possible to migrate a daemon from root to <some system
user> without much difficulties. A good example is weston in
Tizen:Common: it runs as a 'display' user, who has the proper rights on
the DRM and input devices.

For some other daemons, it can become more tricky.

If I take a quick look on a recent Tizen:Common snapshot, I can see that
there are some daemons running as root, as you noticed:

root       159     1  0 03:22 ?        00:00:00 /usr/sbin/ofonod -n
root       161     1  0 03:22 ?        00:00:00 /usr/bin/alarm-server
root       168     1  0 03:22 ?        00:00:00 /usr/sbin/connmand -n
root       172     1  0 03:22 ?        00:00:00 /usr/bin/security-server
root       173     1  0 03:22 ?        00:00:00 /usr/bin/media-server
root       175     1  0 03:22 ?        00:00:00
/usr/bin/notification-service
root       239     1  0 03:22 ?        00:00:00 /lib/bluetooth/bluetoothd -E
root       344     1  0 03:22 ?        00:00:00 /usr/sbin/wpa_supplicant -u
root      1037   173  0 03:23 ?        00:00:00 media-thumbnail-server

In this list, I see 3 categories:
- some daemons can very probably run as system users (media-server,
media-thumbnail-server, ofonod, alarm-server), if we're able to define
the appropriate rights
- for network and connectivity daemons (connmand, wpa_supplicant,
bluetoothd), it may be more tricky to migrate to non-root users, but
this needs some investigation
- some services need to run as root (security-server AFAIK)

As Casey pointed, migrating from root to system users for some daemons
is an ongoing effort.

Best regards,
-- 
Stéphane Desneux
Intel OTC - Vannes/FR
gpg:1CA35726/DFA9B0232EF80493AF2891FA24E3A2841CA35726

On 11/08/2014 17:27, Valentina Giusti wrote:
> Hi Tizen developers!
> 
> according to the wiki page
> https://wiki.tizen.org/wiki/Security:SmackThreeDomainModel, in Tizen 3.0
> there are processes running as root. In the AMD Multi-User wiki page it
> even says that the AMD daemon runs "as root as in single user mode".
> 
> During the workshop in Vannes last week, I got the impression (or at
> least I wrote so in my notes) that no process in Tizen is allowed to run
> as root: at most, processes can be run as setuid root for a limited
> period of time.
> 
> Are my notes from the workshop valid or is it actually true that some
> processes are run as root?
> 
> Thanks!
> 
> Best Regards,
> - Valentina Giusti
> _______________________________________________
> Dev mailing list
> Dev at lists.tizen.org
> https://lists.tizen.org/listinfo/dev


More information about the Dev mailing list