Automic Workload Automation

Service Manager version 12.3 introduced a new capability on UNIX: a clean separation between the Service Manager process, which is often run as root, and the process that opens a listening socket. Prior to v12.3, there was no separate listener process.

It is generally considered bad security practice to have a process that runs as root also accept incoming network connections, because it increases the risk of privilege escalation. (In other words, it increases the risk that a remote attacker could exploit a bug in the program to run commands as root.)

Starting with v12.3, these roles are segregated into two separate processes.

• ucybsmgr: If started as root, starts most child processes as root, e.g., the UNIX agent, which needs to run as root in order to switch to other users when starting jobs. Starts ucybsmgr-listener as nobody.
• ucybsmgr-listener: Child process of ucybsmgr. Started as nobody. Opens a listening TCP socket to accept incoming service manager commands from the Service Manager GUI, the Service Manager CLI, or the Automation Engine.

# lsof | grep 8871
ucybsmgr   91442            nobody    4u     IPv6          107213485       0t0        TCP *:8871(LISTEN)
ucybsmgr   91442            nobody    6u     IPv6          107213486       0t0        UDP *:8871

# ps -ef | grep 91441
root      91441      1  0 16:06 pts/1    00:00:00 ./ucybsmgr -iucybsmgr_EXP2.ini uc4
nobody    91442  91441  0 16:06 pts/1    00:00:00 ucybsmgr-listener uc4
root     108004  91441  1 16:39 pts/1    00:00:10 /opt/uc4/agent/ucxjlx6 /opt/uc4/agent/ucxjlx6_EXP2.ini

KB article 145565 describes the new program in more detail. Note that the separation of root process and listening process works even if SMGR_SUPPORT_LEGACY_SECURITY is set to Y. (In other words, this feature does not depend on TLS or CAPKI.)
​

Thanks for this information Michael.

Does this separation of priviliges only applies to process running as root?
What about those service manager executed by sidadm? Will they also have a "nobody" childprocess?

------------------------------
Regards,
Carlos
------------------------------

Original Message:
Sent: 03-06-2020 06:40 AM
From: Michael Lowry
Subject: ucybsmgr-listener

Service Manager version 12.3 introduced a new capability on UNIX: a clean separation between the process running as root and the process that opens a listening socket. Prior to v12.3, a single ucybsmgr process fulfilled both roles, running as root and opening a listening socket. Starting with v12.3, these roles are segregated into two separate processes.

• ucybsmgr: Usually run as root. If started as root, starts most child processes as root, e.g., the UNIX agent, which needs to run as root in order to switch to other users when starting jobs. Starts ucybsmgr-listener as nobody.
• ucybsmgr-listener: Child process of ucybsmgr. Started as nobody. Opens a listening TCP socket to accept incoming service manager commands from the Service Manager GUI, the Service Manager CLI, or the Automation Engine.

# lsof | grep 8871
ucybsmgr   91442            nobody    4u     IPv6          107213485       0t0        TCP *:8871(LISTEN)
ucybsmgr   91442            nobody    6u     IPv6          107213486       0t0        UDP *:8871

# ps -ef | grep 91441
root      91441      1  0 16:06 pts/1    00:00:00 ./ucybsmgr -iucybsmgr_EXP2.ini uc4
nobody    91442  91441  0 16:06 pts/1    00:00:00 ucybsmgr-listener uc4
root     108004  91441  1 16:39 pts/1    00:00:10 /opt/uc4/agent/ucxjlx6 /opt/uc4/agent/ucxjlx6_EXP2.ini

KB article 145565 describes the new program in more detail. Note that the separation of root process and listening process works even if SMGR_SUPPORT_LEGACY_SECURITY is set to Y. (In other words, this feature does not depend on TLS or CAPKI.)
​

I'm not sure. It might depend on whether the executing user has the authority to switch to the nobody user, but I suppose it's actually simpler than that. The separation is intended to prevent root from running processes that open listening sockets. So I guess that when ucybsmgr runs as a non-root user, the ucybsmgr-listener child process is started as the same user.

Hello Michael,

We try to trigger and service with our sidadm and there is "nobody" user but ucybsmgr-listener is with our uc4adm user.



------------------------------
Regards,
Carlos
------------------------------

Original Message:
Sent: 03-09-2020 05:20 AM
From: Michael Lowry
Subject: ucybsmgr-listener

I'm not sure. It might depend on whether the executing user has the authority to switch to the nobody user, but I suppose it's actually simpler than that. The separation is intended to prevent root from running processes that open listening sockets. So I guess that when ucybsmgr runs as a non-root user, the ucybsmgr-listener child process is started as the same user.
Original Message:
Sent: 03-09-2020 04:47 AM
From: Carlos Cardano
Subject: ucybsmgr-listener

Thanks for this information Michael.

Does this separation of priviliges only applies to process running as root?
What about those service manager executed by sidadm? Will they also have a "nobody" childprocess?

------------------------------
Regards,
Carlos

Original Message:
Sent: 03-06-2020 06:40 AM
From: Michael Lowry
Subject: ucybsmgr-listener

Service Manager version 12.3 introduced a new capability on UNIX: a clean separation between the process running as root and the process that opens a listening socket. Prior to v12.3, a single ucybsmgr process fulfilled both roles, running as root and opening a listening socket. Starting with v12.3, these roles are segregated into two separate processes.

• ucybsmgr: Usually run as root. If started as root, starts most child processes as root, e.g., the UNIX agent, which needs to run as root in order to switch to other users when starting jobs. Starts ucybsmgr-listener as nobody.
• ucybsmgr-listener: Child process of ucybsmgr. Started as nobody. Opens a listening TCP socket to accept incoming service manager commands from the Service Manager GUI, the Service Manager CLI, or the Automation Engine.

# lsof | grep 8871
ucybsmgr   91442            nobody    4u     IPv6          107213485       0t0        TCP *:8871(LISTEN)
ucybsmgr   91442            nobody    6u     IPv6          107213486       0t0        UDP *:8871

# ps -ef | grep 91441
root      91441      1  0 16:06 pts/1    00:00:00 ./ucybsmgr -iucybsmgr_EXP2.ini uc4
nobody    91442  91441  0 16:06 pts/1    00:00:00 ucybsmgr-listener uc4
root     108004  91441  1 16:39 pts/1    00:00:10 /opt/uc4/agent/ucxjlx6 /opt/uc4/agent/ucxjlx6_EXP2.ini

KB article 145565 describes the new program in more detail. Note that the separation of root process and listening process works even if SMGR_SUPPORT_LEGACY_SECURITY is set to Y. (In other words, this feature does not depend on TLS or CAPKI.)
​