RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-26 21:27:34 +00:00
Code Issues Activity Actions

Base: Remove unnecessary UID separation of multi-process Browser

Browse source 
After looking closely at this, I realized that we've been running
all the service processes under separate user accounts even though
there's actually no need to.

Since we already use pledge() and unveil() to limit the scope and
access of these programs, separating them to another UID doesn't
achieve anything meaningful. So let's bring them back to the "anon"
user account and simplify things.

Programs affected:

- ImageDecoder
- RequestServer
- WebContent
- WebSocket

Longer term, I'd like for all of these to get spawned for the current
desktop user somehow, possibly by some kind of session manager, or
perhaps by the Browser program itself. But for now they remain under
SystemServer's control.
This commit is contained in:
Andreas Kling 2021-05-06 12:54:01 +02:00
parent 434c190667
commit a7e44d8b3c
3 changed files with 5 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

8
Base/etc/SystemServer.ini
View file

@ -3,7 +3,7 @@ Socket=/tmp/portal/request
SocketPermissions=660 SocketPermissions=660
Lazy=1 Lazy=1
Priority=low Priority=low
User=request User=anon
BootModes=text,graphical,self-test BootModes=text,graphical,self-test
MultiInstance=1 MultiInstance=1
AcceptSocketConnections=1 AcceptSocketConnections=1
@ -12,7 +12,7 @@ AcceptSocketConnections=1
Socket=/tmp/portal/webcontent Socket=/tmp/portal/webcontent
SocketPermissions=660 SocketPermissions=660
Lazy=1 Lazy=1
User=webcontent User=anon
BootModes=graphical BootModes=graphical
MultiInstance=1 MultiInstance=1
AcceptSocketConnections=1 AcceptSocketConnections=1
@ -21,7 +21,7 @@ AcceptSocketConnections=1
Socket=/tmp/portal/image Socket=/tmp/portal/image
SocketPermissions=660 SocketPermissions=660
Lazy=1 Lazy=1
User=image User=anon
BootModes=graphical BootModes=graphical
MultiInstance=1 MultiInstance=1
AcceptSocketConnections=1 AcceptSocketConnections=1
@ -37,7 +37,7 @@ Socket=/tmp/portal/websocket
SocketPermissions=660 SocketPermissions=660
Lazy=1 Lazy=1
Priority=low Priority=low
User=websocket User=anon
BootModes=text,graphical,self-test BootModes=text,graphical,self-test
MultiInstance=1 MultiInstance=1
AcceptSocketConnections=1 AcceptSocketConnections=1

6
Base/etc/group
View file

@ -4,13 +4,9 @@ tty:x:2:
phys:x:3:window,anon phys:x:3:window,anon
audio:x:4:anon audio:x:4:anon
utmp:x:5: utmp:x:5:
lookup:x:10:request,websocket,anon lookup:x:10:anon
request:x:11:webcontent,anon
notify:x:12:anon notify:x:12:anon
window:x:13:anon,notify window:x:13:anon,notify
clipboard:x:14:anon,notify clipboard:x:14:anon,notify
webcontent:x:15:anon
image:x:16:anon,webcontent
symbol:x:17:anon symbol:x:17:anon
websocket:x:18:webcontent,anon
users:x:100:anon users:x:100:anon

4
Base/etc/passwd
View file

@ -1,13 +1,9 @@
root::0:0:root:/root:/bin/sh root::0:0:root:/root:/bin/sh
lookup:!:10:10:LookupServer,,,:/:/bin/false lookup:!:10:10:LookupServer,,,:/:/bin/false
request:!:11:11:RequestServer,,,:/:/bin/false
notify:!:12:12:NotificationServer,,,:/:/bin/false notify:!:12:12:NotificationServer,,,:/:/bin/false
window:!:13:13:WindowServer,,,:/:/bin/false window:!:13:13:WindowServer,,,:/:/bin/false
clipboard:!:14:14:Clipboard,,,:/:/bin/false clipboard:!:14:14:Clipboard,,,:/:/bin/false
webcontent:!:15:15:WebContent,,,:/:/bin/false
image:!:16:16:ImageDecoder,,,:/:/bin/false
symbol:!:17:17:SymbolServer,,,:/:/bin/false symbol:!:17:17:SymbolServer,,,:/:/bin/false
websocket:!:18:18:WebSocket,,,:/:/bin/false
sshd:!:19:19:OpenSSH privsep,,,:/:/bin/false sshd:!:19:19:OpenSSH privsep,,,:/:/bin/false
anon:!:100:100:Anonymous,,,:/home/anon:/bin/sh anon:!:100:100:Anonymous,,,:/home/anon:/bin/sh
nona:!:200:200:Nona,,,:/home/nona:/bin/sh nona:!:200:200:Nona,,,:/home/nona:/bin/sh