User IDs for system services
For best security, after system startup, all services should be running with their own unique user and group IDs.
This practice has several benefits:
- It makes it much easier to take advantage of POSIX permissions to control access to resources such as files and other resource managers.
- Security tests are, in some cases, stricter when two processes do not share a user ID than when they do.
Running resource managers with non-root user IDs requires privileges that are usually only available to user ID 0, root. There are two ways to grant these privileges to resource managers not running as root:
- Start the service as root and provide it with the option (usually -U) to have it switch to a different set of user and group IDs.
- Use security policies.
For example, sshd normally needs to be run as root but using security policies allows you to run it as non-root. For more information, see
Running sshd as non-root
in the Utilities Reference.
After system startup, you can check that all processes are non-root by using the pidin utility. You can also use pidin to verify that they have not retained the setuid ability, which would permit them to revert to root.