Security/Tizen 2.X User ID & group ID

From Tizen Wiki
Jump to: navigation, search

User ID and group ID policy

Tizen 2.X does not support multi user, but user ID policy is a fundamental component for security requirements.

  • User ID policy
    • There are 3 users in Tizen 2.X. 0 (root), 5000 (app), and 5100 (developer)
    • No application is running under user ID 0.
    • Tizen does not support multi user. All applications are running under user ID 5000.
    • There is no user login.
    • Predefined users from Linux distro can be used.
    • We discourage to give same user ID for developer shell. Developer shell (sdbd shell) runs as user ID 5100.
  • Group ID policy
    • Tizen does not actively utilize group ID for access control.
    • However, we remains predefined group IDs from Linux open sources.
    • Currently, there exist many group IDs when you see /etc/group, but they are not used any longer.

Framework files

Framework file means any file created and installed by platform development. Framework files should be protected by unauthorized access from applications, and here is the setup configuration.

Policy

  • Basic policy of all files are root owned, root grouped with rw-r--r-- (644) permission.
    • Executable files can be rwxr-xr-x permission. We don't recommend you to have setuided rwsr-xr-x or setguided rwxr-sr-x. However security breach caused from setuided or setguided files is responsible by the manufacturer.
  • Home directory of each user is owned by the corresponding user ID with drwxr-xr-x permission. However Tizen 2.X has 3 home directories for root, app, and developer user.
  • If application needs to write a framework file, we recommend to change group of the file to 5000 and rw-rw-r (664) permission.
    • If a file is owned by user ID 5000, it could be removed or attribute can be changed maliciously.
    • Group ID is not used unless there is a corresponding group ID from Linux open sources.
  • Important files can have more strict permissions
    • root:root rw------- (600) or rw-rw---- (660) can be used for very important system files.
  • Some of the files can be globally accessible by some reasons.
    • For example, /dev/zero, /dev/null, /tmp will have rw-rw-rw (666) (rwxrwxrwx for directory) permission by its original purpose.

Implementation

  • rpm automatically sets root:root rw-r--r-- for normal files and root:root rwxr-xr-x for executable files.
    • If you want to provide different file permission, then you should use chown or chmod command in spec file of your package.
  • Permission of files in tmpfs should be changed during boot time or mount time.
    • Files in /dev can be configured by udev configuration
    • Files is /tmp can be configured by booting scripts.

System service processes

System services should have least privilege. However in Tizen 2.3, we didn't applied least privilege for those services that most of them are unfortunately running as user ID 0. We are planning to provide least privilege support on next version of release.

Application files

When an application is installed, user ID and permission of all files in the application packages are assigned by the system.

Policy

  • Basically, all files are owned by root and read only for other users. root:root rw-r--r--
    • Executable files and directories are also owned by root and read only. root:root drwxr-xr-x
  • No setuid or setgid bit is set
  • A few directoies are owned by UID 5000 and writable for the user. 5000:5000 drwxr-xr-x
    • /opt/apps/[pkgid]/data : Application's private storage.
    • /opt/apps/[pkgid]/shared : Application's shared directory.

Implementation

  • Native Installer and Web Installer take the role of assigning user ID and permission of package files.
  • Since installers are running under root, all files are owned by root respectively.
  • Installers change owner and permissions for the directories and files if required.

Application processes

All applications are forked and executed by launchpad daemon. Launchpad itself is a root daemon, but it drops privilege by calling libprivilege-control API before executing an application. Therefore effective user ID and effective group ID is always uid 5000.

Developer (sdb)

Providing debug interface to the application developers is very important for eco system of the platform. Tizen provides Smart Development Bridge(sdb) to talk to and support developers.

Policy

  • Developer is basically not allowed to have root privilege.
    • On the other hand, developer requires root privilege to install, debug, kill, and uninstall developing applications.
  • Developer is not allowed to access user data and application directly.
    • Developer should be sandboxed from the other application and user data.

Implementation

  • sdbd (sdb daemon in the device) is running under root user.
    • sdbd communicates with developer via sdb command, therefore developer can obtain root privilege in a limited manner.
      • Installing, removing, killing and debugging an application is performed by privileged sdbd, but only allowed for developing application.
      • Any other undefined commands (including execution of root shell) is not allowed.
  • Developer shell is running under developer user.
    • Developer can launch a shell process by sdb shell command.
    • sdbd launches a shell process, but it drops root privilege to developer before launching a shell.
    • Since shell is running under developer user, it cannot interfere with applications directly.
      • i.e) Sending signal, write user files, accessing databases and so on.