Hi team , I had received a couple of offline emails on this topic , Asking why we need this group ? are this really needed? So I thought of writing this in detail on the advantages that we get .
1. As this is not controlled by our yocto , we are moving aways from security requirements and products are getting deployed with root as a normal user for all services . any security flaw can lead to overall system gain . Bigger risk in today's world . 2. Why don't the customization of adding user/group be done by our developers ( deployers ) Yes they can do that but the problem is half of the stack services are from our Yocto which are running as root and getting them into the "Least privilege security model" is a big challenge where security requirements are half baked . 3. Why ubuntu / other distro don't have this many groups ? Most of them have role based and security LSM which will safeguard . In our case most of the time we have single user login or there is no concept of Role based non-root sort of idea , only fewer groups . 4. What are the expectations from this email ? + Guideline on numbering to be used for users and groups . + Define standard groups that are typically seen on the system so that contributors / Developers can start adapting this + Create a new group that can be used by services which are not root but less privileged users . Some like android has "system " or root vs admin(lesser) , + Defining the privilege user chart can be used for much more security control. Any flaw in any one driver will still not give full access . Team please comment so that we can get a wider view if this should be done at our end or at the deployer end . Regards, Ravi On Wed, Nov 1, 2023 at 11:38 AM Marta Rybczynska <rybczyn...@gmail.com> wrote: > > On Wed, Nov 1, 2023 at 6:43 AM Ravi Kumar <nxp.r...@gmail.com> wrote: > > > > Hi team , > > Most of the IOT lines have been deployed on Yocto now the new > > trend/requirement is security . > > On yocto we see that we moved away making every one as root and every > > resource on the device tree accessible . > > Where it creates new challenges of creating isolation of services > > and resources . > > Making a service to run in low privilege mode (which is a base > > requirement of security ) . > > I understand we had always encouraged using extrausers and useradd > > for creating custom user groups. > > [1] https://docs.yoctoproject.org/ref-manual/classes.html#extrausers > > [2] https://docs.yoctoproject.org/ref-manual/classes.html#useradd > > > > > > Following are the problems . > > we add a new UID and GID and associate the new code , But open > > source service might still need to be part of this group to access > > this. > > where adding /covering all the use cases is really not possible . > > Re-using of the code which is already associated with some user group > > has to be reworked to make sure the UID and GID is unique . > > > > We see that we are moving aways from commercial product lines in terms > > of security. How do we address this or the proposal? > > > > 1. Standardization of user /group : > > Just like android echo system uid /gid classification based on > > . <range > to be defined . driver related / app related / services > > > > 2. Default group to be included by Yocto frameworks . > > like > > Radio -- moden board are by default enable with wifi , BT , GPS > > 3. users who are part of special capabilities groups like net_admin > > /net_raw, reading of /proc > > or writing to /sys entries which could do elevated roles. > > > > Selinux sort of layer is ontop of DAC (legacy user/groups ) and we > > should be having a robust DAC model to meet the current security > > requirements. > > Please let us know if there are any guidelines / plans on this . > > Or can we submit a patch for adding default /user like raido / > > net_admin sort of users. > > > > Hello Ravi, > Thank you for the message. I'm not aware of a recent discussion > on the subjet, and the question is relavant. I'm adding the yocto-security@ > mailing list in copy. > > Kind regards, > Marta
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#61621): https://lists.yoctoproject.org/g/yocto/message/61621 Mute This Topic: https://lists.yoctoproject.org/mt/102313578/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
