For our product we’ve been trying to make sure all services running on the device are run under unprivileged service accounts, rather than as root, particularly if they are network-facing. Any thoughts on how easy it would be to do that with the Mender agent?
Hi @madisox,
I would not expect this to be a to big of a problem. The user that is running the Mender client process needs access to:
- read/write to disk (
group disk) - read/write
/var/lib/mender(this is normally a mount point) - read/execute
/usr/share/mender(contains inventory/identity scripts and Update Modules if you are using them)
These are at least the things that come to mind from the top of my head.
1 Like
Thanks @mirzak. I’d also need to review the state scripts - I know I have some that assume they’re running as root - and for U-Boot-based platforms the direct invocations of fw_setenv/fw_printenv would need to be looked at.
I would expect that the fw_setenv_/fw_printenv tools would be covered by the disk group.
I would expect that the
fw_setenv_/fw_printenvtools would be covered by thediskgroup.
Mostly. The version of U-Boot I’m using also uses a lock file, but by pre-creating that file with suitable ownership and permissions, I was able to deal with that issue.
I do have this working now. Besides the lock file mentioned above, I needed to add some udev rules to set some permissions on some sysfs entries that were being accessed by my state scripts. I also needed sudo for some of the state script operations. I also added a wrapper script for the reboot command that would use sudo to invoke the real reboot command, and put that on the mender agent’s PATH.
Thanks!