For our product we’ve been trying to make sure all services running on the device are run under unprivileged service accounts, rather than as root, particularly if they are network-facing. Any thoughts on how easy it would be to do that with the Mender agent?
Hi @madisox,
I would not expect this to be a to big of a problem. The user that is running the Mender client process needs access to:
- read/write to disk (
group disk
) - read/write
/var/lib/mender
(this is normally a mount point) - read/execute
/usr/share/mender
(contains inventory/identity scripts and Update Modules if you are using them)
These are at least the things that come to mind from the top of my head.
Thanks @mirzak. I’d also need to review the state scripts - I know I have some that assume they’re running as root - and for U-Boot-based platforms the direct invocations of fw_setenv/fw_printenv would need to be looked at.
I would expect that the fw_setenv_/fw_printenv
tools would be covered by the disk
group.
I would expect that the
fw_setenv_/fw_printenv
tools would be covered by thedisk
group.
Mostly. The version of U-Boot I’m using also uses a lock file, but by pre-creating that file with suitable ownership and permissions, I was able to deal with that issue.
I do have this working now. Besides the lock file mentioned above, I needed to add some udev rules to set some permissions on some sysfs entries that were being accessed by my state scripts. I also needed sudo for some of the state script operations. I also added a wrapper script for the reboot
command that would use sudo to invoke the real reboot command, and put that on the mender agent’s PATH.
Thanks!
Hello everyone,
We’re facing the same challenge with our product: we need to comply with the principle of least privilege as part of the RED cybersecurity requirements.
I’m currently using Mender 5.0.1 with systemd integration, and I believe both mender-connect.service
and mender-update.service
should be updated to avoid running as root, since they have direct network access.
Would it be possible to have this change upstream, using a dedicated mender
user by default?
Hi @Rayan,
As far as I can tell there are no actions immediately planned in this area, but I definitely agree that it would be a good possible improvement. Can you submit is as a support request so it gets picked up in the product planning process?
Thanks,
Josef
Hi Josef,
Thanks a lot, I sent a support request at support@northern.tech.
I am almost done patching my system with Yocto. So far I did the following:
- Override the User/Group to
mender
in the systemd configuration (mender-authd
,mender-updated
andmender-connect
services) - Adapt permissions for
/etc/mender
,/usr/share/mender
, and/var/lib/mender
directories - Tweak D-Bus config to allow
mender
user
To use the Mender troubleshooting terminal, I am still having issues to spawn a remote shell running under a different user.
$ cat /etc/mender/mender-connect.conf
{
“ShellCommand”: “/bin/bash”,
“User”: “remote”
}
I did try to add more capabilities to the mender-connect
service but no luck so far, as I still get the following log: level=error msg=“failed to start shell: fork/exec /bin/bash: permission denied”
Do you have any suggestions on how I could achieve it?
Do you think I missed something else?
Thanks,
Rayan