Force as much as possible processes to run as non privileged users

[psytester]

The todays (O)CCU concept is a genuine offer to be "hacker friendly", because all processes are running in root user context. Any "possible" vulnerability leads to fully unreserved exploitable access.

As you stated that RaspberryMatic is something like a eQ-3 pre-Beta / Proof Of Concept / input channel for official eQ-3 releases, please introduce a state of the art user and service daemon managment with non privileged users. Starting with lighttpd to use the build in but not activated settings, because the CCU does not have such account:

/etc/lighttpd/lighttpd.conf:
# server.username  = "lighttpd"
# server.groupname = "lighttpd"

Or use the "www-data" account.

Next is the ReGaHss itself as non root! The Java process for HMIPServer.jar, too and last but not least the processes /bin/eq3configd , /bin/rfd and /bin/eq3-uds-services / ....

AND adjust the file system permissions according to its needs. Today all directories and files are owned by root, readable by root user, by group "root" and by others

Limiting the (read) access to users and goups and change the ownership of sensitive spot files. Why do I need to be able to read the homematic.regadom as any other process or user?

# ls -l /usr/local/etc/config/homematic.regadom
-rw-r--r--    1 root     root        401376 Apr 10 18:38 /usr/local/etc/config/homematic.regadom

# ps -afe
PID   USER     TIME  COMMAND
    1 root      0:00 init
   92 root      2:21 /bin/hss_led -l 6
  125 dbus      0:00 dbus-daemon --system
  155 root      0:00 /sbin/syslogd -n -m 0
  158 root      0:00 /sbin/klogd -n
  180 root      0:00 /sbin/udhcpc -b -t 100 -T 3 -S -x hostname:ccu3-webui -i eth0 -F ccu3-webui -V eQ3-CCU3 -s /bin/dhcp.script -p /var/run/udhcpc_eth0.pid
  319 root      0:32 /usr/sbin/ifplugd -i eth0 -fI -u0 -d10
  330 root      1:00 /usr/sbin/ntpd -g 0.de.pool.ntp.org 1.de.pool.ntp.org 2.de.pool.ntp.org 3.de.pool.ntp.org
  352 root      0:00 /bin/eq3configd
  366 root      0:07 /bin/ssdpd
  372 root      0:00 /usr/sbin/sshd
  423 root      0:44 /bin/multimacd -f /etc/multimacd.conf -l 5
  449 root      0:21 /bin/rfd -f /etc/config/rfd.conf -l 5
  464 root     20:07 java -Xmx128m -Dos.arch=arm -Dlog4j.configuration=file:///etc/config/log4j.xml -Dfile.encoding=ISO-8859-1 -Dgnu.io.rxtx.SerialPorts=/dev/mmd_hmip -jar /opt/HMServer/HMIPServe
  583 root      0:00 /bin/eq3-uds-services
  589 root      1:10 /bin/ReGaHss.community -f /etc/rega.conf -l 2
  659 root      0:01 /usr/sbin/crond -f -l 9
 4930 root      0:00 /usr/sbin/lighttpd-angel -f /etc/lighttpd/lighttpd.conf -D
 4931 root      0:00 /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf -D
 4932 root      0:07 /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf -D
 4933 root      0:07 /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf -D
 4934 root      0:08 /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf -D
 4935 root      0:08 /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf -D
 6697 root      0:00 sshd: root@pts/0
 6699 root      0:00 -sh
 6723 root      0:00 ps -afe

# cat /etc/passwd
root:.......
daemon:.......
bin:.......
sys:.......
sync:.......
mail:.......
www-data:.......
operator:.......
nobody:.......
avahi:.......
dbus:.......
sshd:.......

[jens-maus]

This is actually already planned. So no need to convince me in any way. :)

However, please be prepared that some selected services will still need root access due to requirements to provide global executable rights. But as said, some changes are already planned in that areas. Just be prepared that this might take some time.