User IDs for system services

For best security, after system startup, all services should be running with their own unique user and group IDs.

This practice has several benefits:

It makes it much easier to take advantage of POSIX permissions to control access to resources such as files and other resource managers.
Security tests are, in some cases, stricter when two processes do not share a user ID than when they do.

Running resource managers with non-root user IDs requires privileges that are usually only available to user ID 0, root. There are two ways to grant these privileges to resource managers not running as root:

Start the service as root and provide it with the option (usually -U) to have it switch to a different set of user and group IDs.
Use security policies.
For example, sshd normally needs to be run as root but using security policies allows you to run it as non-root. For more information, see “Running sshd as non-root” in the Utilities Reference.

After system startup, you can check that all processes are non-root by using the pidin utility. You can also use pidin to verify that they have not retained the setuid ability, which would permit them to revert to root.