UNIX agent root permissions

Document ID : KB000115409
Last Modified Date : 04/01/2019
Show Technical Document Details
Question:
Why does the UNIX Agent require root permissions? 
 
Answer:
The UNIX Agent supports the execution of a job under different users. The job is executed with a user based on the retrieved login credentials. This user context switch is only possible when running as root. It is possible to start the Agent under a non-root user, however this limits the executions to the user context which started the Agent. The Unix Agent itself has various security features to limit the attack surface drastically. The Agent uses the architectural concept of privilege separation. During startup, the root process spawns a listener process with the nobody user that handles all incoming communication, i.e. no incoming socket connection is running under root. The listener process handles actions that do not require any higher privileges. The Agent itself connects and authenticates directly to the Automation Engine via an AES-256 encrypted TCP connection. The Agent only accepts jobs of any kinds from this trusted and secure connection. The Unix Agent requires root privileges to execute the following actions:
  • The Agent performs a password check using native Unix-APIs or, if PAM authentication is configured, the Agent authorizes the User with PAM.
  • The Agent creates child processes using the system API call fork() with a user context switch. All further processes now run in the user context without involving the root process anymore, i.e. it sets the eUID, rUID and saved-UID.
  • For file events the Agents accesses the file system as different users, thus it needs to change the user context.

Those actions are required to keep track of the process status and monitor file events, which would not be possible with root enablers like sudo. To increase the security of the Unix Agent, it does not allow any job execution as root per default, even if valid root credentials are passed to the Agent. This protection can be disabled in the configuration, nevertheless, in this case valid root credentials are required to execute a job under root.