Best practices for security integrators include:
Rootless execution supports these best practices. In a rootless system, a process maintains its access rights and permissions. Systems are less vulnerable to subversive attacks because attackers can't obtain unrestrained access to the system.
The user ID for root is zero (0). Normally, you can determine the level of privilege based on whether or not the process making the request (or the object being acted upon) is in the context of the root user. To escalate privileges, an attacker might look for an object that already has root privileges and then co-opt it for malicious purposes.
In QNX Neutrino, the Process Manager ability system allows the privileged operations that are normally reserved for root to be granted or denied individually to any process as necessary. Processes started as root are, by default, granted a superset of abilities, while those not started as root are granted a subset.
Before rootless execution, privileged operations were restricted to root processes. That is, those running with UID 0.
Rootless execution allows you to use Process Manager abilities to restrict privileged operations to processes running as any user ID, provided they have been granted the specific ability that governs the specific operation.
By default, processes running as user ID 0 are granted full abilities unless:
To learn more about Process Manager (procmgr) abilities and process privileges see the “Procmgr abilities” chapter of the QNX Neutrino Programmer's Guide.
In practice, this method of granting privileges allows processes:
The ability system allows non-root processes selective access to privileged operations, providing the opportunity to deploy a system with no processes running as, or objects owned by, root. This approach should make it effectively impossible to achieve root privilege escalation. If any process is co-opted by an attacker, the operations it can be made to perform on behalf of the attacker remain limited.