[systemd-devel] best way to enable dynamicuser on a large custom application

[Topi Miettinen]

On 12.2.2021 4.31, Davis Roman wrote:
> Hello,
> 
> I've been tasked to take a large application mostly written in C which 
> had previously always run as root and now run it under dynamic user.
> 
> My goal is to follow the "principle of least privilege" and figure out 
> all the necessary individual privileges I need to provide so that it 
> continues to work normally as before.
> 
> I'm sure I can use a trial and error approach that would involve running 
> the unprivileged application, inspecting error, granting needed 
> privilege, rinse, wash and repeat until all errors are resolved
> but I'm wondering if there is a more systematic approach that involves 
> inspecting the code base and figuring out all needed privileges needed 
> to get the application to work properly?

Code base inspection may not present the complete picture easily since 
libraries may also invoke privileges and they may also call further 
libraries, plugins etc. Test-based approach is not great either, since 
if the test run misses a use case, the privileges for that may be left out.

Once upon time, I tried to automate generating systemd configuration 
from test runs with some help from kernel using SystemTap. It may need 
some updating:
https://github.com/topimiettinen/systemd-settings-generator.git

But a problem with kernel's debugging interfaces is that they don't seem 
to remain very stable and for some interfaces, performance may not be 
good enough. Maybe a more stable and performant model would be to 
intercept the LSM interface directly. This "systemd-lsm" could store the 
state inside the kernel (no need for I/O) and it could produce systemd 
configuration after the service finished with netlink (for speed) or 
/proc interface (for text).

-Topi