Rootless Execution

Best practices for security integrators include:

Minimize the need to use and keep root privilege.
Minimize all root processes.
Ensure that only the most essential tasks are running as root.

Rootless execution supports these best practices. In a rootless system, a process maintains its access rights and permissions making it less vulnerable to subversive attacks by denying the attacker unrestrained access to the system.

Note: The QNX Neutrino RTOS recognizes user ID 0 as being privileged, and traditionally an account with uid 0 is called root. This user can do anything on the system; it has what Windows calls "administrator's privileges". Unix-style operating systems often call root the "superuser".

Escalating privileges to attack a system

The user ID for root is zero (0). Normally, you can determine the level of privilege based on whether or not the process making the request (or the object being acted upon) is in the context of the root user. To escalate privileges, an attacker might look for an object that already has root privileges and then co-opt it for malicious purposes.

Separating privileged operations to reduce vulnerability

In QNX Neutrino, the procmgr ability system separates the individual privileged operations (that are normally reserved for root) and allows them to be individually granted or denied to any process as necessary. Processes started as root are, by default, granted a superset of abilities, while those not started as root are granted a subset.

Before rootless execution, privileged operations were restricted to root processes. That is, those running with uid 0.

Rootless execution means that you can use procmgr abilities to change behavior so that privileged operations are restricted to processes running as any user ID, provided they have been granted the specific ability that governs the specific operation.

By default, processes running as user ID 0 are granted full abilities unless they are specifically restricted by dropping and locking procmgr abilities, or by switching to a different user ID.

To learn more about procmgr abilities and process privileges see the “Procmgr abilities” chapter of the QNX Neutrino Programmer's Guide.

Starting processes without root privilege

In practice, this approach to privilege allows processes:

to start with a non-root user ID and a subset of abilities by default
to gain access to any additional abilities they require, only when they require them
to lose abilities when they are no longer required.

The ability system allows non-root processes selective access to privileged operations, providing the opportunity to deploy a system with no processes running as, or objects owned by, root. This approach should make it effectively impossible to achieve root privilege escalation. Should any process be co-opted, it remains limited in which operations it can be made to perform on behalf of the attacker.