Privilege Control
Like other components that run on QNX OS, the privileged operations required by io-sock and networking components are protected by process manager abilities. These abilities are configured either directly by the components themselves, or, preferably, via security policies that are defined by the system integrator.
For a list of these
abilities, see Abilities
in the Privilege control
section of the System Security Guide.
For an overview of process manager abilities, see:
Process privileges
in theProcesses
chapter of the QNX OS Programmer's Guide- The entries for procmgr_ability() and iofunc_ability_check() in the C Library Reference.
After io-sock is up and running, you can use a sysctl command to have io-sock drop the extra privileges it needed during startup and have it run with a reduced set of privileges for normal operation.
Dropping privileges for systems with a security policy
For systems that use security policies, you should run io-sock as a non-root user and then, after it has fully started, set qnx.sec.transition
. The io-sock manager continues to run with the same uid it was started with, but switches to a different security type, most likely one with fewer privileges. For example:
sysctl qnx.sec.transition=1
The sysctl design requires you to pass in a non-zero value; passing in 1 is recommended because future releases could assign specific meanings to other parameter values.
Dropping privileges for systems without a security policy
If your system does not use security policies, you should run io-sock as
root and then use qnx.sec.droproot
to have it switch
to the specified user. For example:
sysctl qnx.sec.droproot=value
where value specifies a user, one or more groups, or both, using one of the following formats:
- uid[:gid[,sup_gid]*]
- user_name[,sup_gid]*
The default is 99:99,120. In the second format, the primary group is the one specified for user_name in /etc/passwd.
You can also use sysctl variables to selectively drop the abilities that
io-sock retains after setting qnx.sec.droproot
. For
information, see the sysctl
entry in the QNX OS
Utilities Reference.
For systems that don't use security policies, you cannot use qnx.sec.droproot
to specify additional abilities to retain if your networking driver needs them. Instead, you can specify any extra abilities when you start io-sock. For example:
on -A nonroot,allow,interrupt io-sock -d em
For more information, see the entry for on in the Utility Reference.
Abilities for networking operations
The io-sock networking stack provides a set of custom abilities that control a client's ability to perform various networking operations. For more information, see Custom abilities
in the Abilities
section of the System Security Guide.
Controlling access to packet filtering
Access to packet filtering (PF) and Berkeley Packet Filter (BPF) is controlled via
filesystem ACLs on the /dev/pf and /dev/bpf
devices. For more information, see Access Control Lists
(ACLs)
in the QNX OS
User's Guide.