Linux as a single-user system

By Jonathan Corbet
February 4, 2015

Back in the dim and distant past (2001), somebody going by the name "imel" posted a patch eliminating the concept of users in the kernel and causing everything to run as root. Unsurprisingly, this patch was not taken particularly seriously at the time. But a version of that patch has returned nearly fourteen years later; this time around it has succeeded in generating a bit more discussion.

The patch in question comes from Iulia Manda; it creates a kernel configuration option that removes the concept of multi-user operation. When appropriately configured, the kernel runs every process with user and group IDs of zero and all capability bits set. This option also removes support for a long list of system calls dealing with user and group IDs and capabilities.

As is often the case with the more eyebrow-raising patches, this one is driven by the kernel "tinification" effort that seeks to shoehorn the kernel into small-memory systems. Such systems are likely to be running a single, dedicated application, perhaps as the init process, and they have little use for many of the features provided by the kernel — including multi-user operation. Configuring that support out saves a bit of memory (about 25KB), making it easier to fit a contemporary kernel on the smallest systems-on-chip.

Given the nature of the patch, it would not be surprising to see a chorus of opposition on the lists. In fact, the set of opponents consists mainly of Casey Schaufler, who said:

Authoritative LSM hooks were loudly rejected in or about 1999. One of the primary reasons they were rejected was because you could use them do exactly what this patch does, which is to remove the basic Linux security policy. If attitudes have changed sufficiently that removing the "classic" security behavior is now deemed acceptable, I propose that we reintroduce the option of authoritative LSM hooks instead.

"Authoritative LSM hooks" are Linux security module functions that are able to increase the privilege level of a running process. They were extensively debated back in 2001 when the security module mechanism was being developed. Authoritative hooks did not make the cut in the end; they were seen as a significant security risk in their own right. At that time, one Casey Schaufler criticized the decision, seeing it as a selling-out of important functionality to ease the merging of security modules into the kernel.

Many years later, Casey clearly has not forgotten. He would apparently like to see the single-user option, if it is to be included at all, implemented as a security module using authoritative hooks. The tinification developers are unimpressed by that idea, though; reimplementing authoritative hooks would involve reviving an old (and resolved) discussion to get to a possibly inferior solution to the problem they are interested in addressing. So this patch is unlikely to evolve in that direction.

Beyond that, though, Casey raised a complaint that has come up before with regard to tinification patches: "You are opening the door to creating a 'Linux' kernel that does not behave like Linux." Many of the patches in this area will, by their basic nature, have that effect; they are, after all, concerned with removing functionality that is not needed for one specific use case. If the kernel is to be suitable for deployment on tiny systems, it will need to be flexible enough to "not behave like Linux" on those systems.

That is one way of seeing the problem, anyway. Josh Triplett responded that it has long been possible to configure functionality out of the kernel and that the single-user patches are nothing special or new:

So what's this about "not behaving like Linux"? Linux is whatever lives in linux.git; it's a lot more capable these days, and that doesn't just mean *adding* features. The alternative to a tinier Linux isn't a larger Linux, it's non-Linux embedded OSes that behave *nothing* like Linux because they're *not Linux*.

In the end, it comes down to a couple of questions: can the tinification developers package their changes in a way that the larger development community can accept, and is that community willing to tolerate patches that enable fundamental changes in how the kernel works? The discussion is not new, of course; it came up at the 2014 Kernel Summit among other places. It does not look like one that will come to any sort of quick conclusion. But, in the end, if Linux is not able to run well on very small systems, it will likely be pushed aside by a system that does work well in that environment.

Index entries for this article
Kernel	Embedded systems

Where does the memory saving come from?

Posted Feb 5, 2015 10:55 UTC (Thu) by epa (subscriber, #39769) [Link] (10 responses)

The patch doesn't appear to remove uid and gid fields from any data structures (in memory, I mean; changing filesystem format on disk is probably not worth it). Is that not considered a worthwhile saving because these tiny systems only run a small number of processes?

Come to think of it, I look forward to the next tinification patch that removes support for multiple processes, scheduling, and makes the only running process always have pid 1.

Where does the memory saving come from?

Posted Feb 5, 2015 12:07 UTC (Thu) by tao (subscriber, #17563) [Link] (6 responses)

I think scheduling would be needed anyway, at least in some simplified form, to handle the kernel threads (you know, all processes with the command listed as [foo]).

Or do you see your tiny system using none of those?

Where does the memory saving come from?

Posted Feb 5, 2015 14:37 UTC (Thu) by epa (subscriber, #39769) [Link] (5 responses)

You're right that there are kernel threads but do they need to be pre-empted? If you can be sure that no kernel thread will busy-wait for long periods then you can dispense with the scheduler interrupt and also with any complex scheduling decision (just run the first eligible thing in the list).

Where does the memory saving come from?

Posted Feb 5, 2015 16:21 UTC (Thu) by cesarb (subscriber, #6266) [Link] (3 responses)

IIRC, kernel threads can't be preempted unless you enable CONFIG_PREEMPT, and couldn't be preempted at all before CONFIG_PREEMPT was first added to the kernel a long time ago.

What always could be preempted (through any interrupt, but usually the timer tick) is userspace threads.

Where does the memory saving come from?

Posted Feb 5, 2015 16:35 UTC (Thu) by epa (subscriber, #39769) [Link] (2 responses)

Right - so if you have only a single userspace process, and it is single-threaded, then no scheduler is needed. Just run the first eligible task each time, and wait for it to block. If the number of kernel threads can be known ahead of time then a fixed size data structure can hold the details.

Where does the memory saving come from?

Posted Feb 12, 2015 0:52 UTC (Thu) by kevinm (guest, #69913) [Link] (1 responses)

The problem is then that the single userspace task can prevent necessary kernel threads from running.

Where does the memory saving come from?

Posted Feb 12, 2015 11:50 UTC (Thu) by epa (subscriber, #39769) [Link]

Hmm, I wasn't aware that kernel threads might need to pre-empt a userspace process. I expected that the user process would yield the next time it makes a system call, and if it makes no system calls, it doesn't need the kernel to do anything, and so kernel threads can wait.

I guess that then you need to add an explicit scheduling step when returning from a system call, which may not exist at the moment.

Where does the memory saving come from?

Posted Feb 6, 2015 22:19 UTC (Fri) by justincormack (subscriber, #70439) [Link]

You can do that with the NetBSD rump kernel (rumpkernel.org) - you can run the kernel threads as fibers if you like, run to completion.

Where does the memory saving come from?

Posted Feb 5, 2015 17:25 UTC (Thu) by josh (subscriber, #17465) [Link] (2 responses)

> The patch doesn't appear to remove uid and gid fields from any data structures (in memory, I mean; changing filesystem format on disk is probably not worth it). Is that not considered a worthwhile saving because these tiny systems only run a small number of processes?

That might potentially be worth doing, but it'd require a much more invasive patch for much less gain. And yes, unless you have a large number of processes or other data structures involving UID/GID, you likely wouldn't see much savings; and if you have a large number of processes, what are you doing running *all* of them as root? :)

> Come to think of it, I look forward to the next tinification patch that removes support for multiple processes, scheduling, and makes the only running process always have pid 1.

Compiling out fork() and exec() is definitely on the list.

Compiling out the scheduler would be rather more challenging, since that would also imply no kernel threads or other background processing.

Where does the memory saving come from?

Posted Feb 6, 2015 3:48 UTC (Fri) by flussence (guest, #85566) [Link]

Removing the scheduler entirely may be out of the question, but BFS may be worth looking at as an alternative. It's quite a bit less complex than CFS, and designed with low (realistic desktop) numbers of cores in mind.

Where does the memory saving come from?

Posted Feb 12, 2015 1:00 UTC (Thu) by kevinm (guest, #69913) [Link]

If you compile out fork() and execve() you might as well get rid of pipe() and kill() too.

Linux as a single-user system

Posted Feb 5, 2015 16:25 UTC (Thu) by malor (guest, #2973) [Link] (4 responses)

> "You are opening the door to creating a 'Linux' kernel that does not behave like Linux."

It strikes me that this is being horrified that someone might use their hardware differently than you do.

Who the heck cares? If they run a Linux kernel that looks nothing at all like Linux on my machine, what harm does that do me?

He makes it sound almost like the Linux design is somehow holy, and that it would be heretical to do it any other way.

Linux as a single-user system

Posted Feb 6, 2015 17:38 UTC (Fri) by ddevault (subscriber, #99589) [Link] (3 responses)

I think the idea is that no one minds what you do with your own kernel, but if you want patches merged upstream then they need to be in the spirit of Linux.

For what it's worth, I support this particular kernel patch.

Linux as a single-user system

Posted Feb 6, 2015 18:36 UTC (Fri) by malor (guest, #2973) [Link] (1 responses)

>then they need to be in the spirit of Linux.

How can you even define that? And why would you want to? If someone uses the kernel tree to make a box that doesn't look much at all like yours, how are you hurt?

Shouldn't decisions like that be purely from a maintenance/coding perspective?

Linux as a single-user system

Posted Feb 7, 2015 3:36 UTC (Sat) by ddevault (subscriber, #99589) [Link]

Well, what if someone showed up and wanted to have a JVM implementation merged into the kernel. At some point someone has to say "no, we won't take this upstream". I don't think anyone would be upset if someone "uses the kernel tree to make a box that doesn't look much at all like yours", but whether or not the changes they made should be brought upstream is the subject of discussion.

Linux as a single-user system

Posted Feb 6, 2015 23:08 UTC (Fri) by josh (subscriber, #17465) [Link]

> For what it's worth, I support this particular kernel patch.

If you might potentially have a use for it, we could use some explicit statements to that effect on LKML in response to the patch. Users asking for a feature make a much more compelling argument for that feature.

Linux as a single-user system

Posted Feb 7, 2015 1:42 UTC (Sat) by gerdesj (subscriber, #5446) [Link]

>then they need to be in the spirit of Linux.

I've just had a quick look through something called Linux 0.0.1. I'm happy to be shot down because I'm not a native C reader but I couldn't see any evidence of UID != 0 I did see a directory called /usr/root mentioned though for HOME strangely enough.

Should that original release not be considered Linux anymore? A bit glib maybe but I think the ability to flag away chunks of what is unnecessary for the task in hand is probably a good idea and well within the spirit of "Linux".

My x86 and amd64 usage is rather different from the other arches and this seems to me like yet another arch that simply has different capabilities to many of the other ones. It's possible I might want to make use of that facility (dropping extra code paths if it were possible) even on amd64 if it might improve performance. Give *me* the choice, please.

Linux as a single-user system

Posted Feb 12, 2015 9:57 UTC (Thu) by callegar (guest, #16148) [Link]

It is funny to see this side to side with another article about enforcing password policies. For some reason I expect that if a similar configuration switch enters the kernel there will be home boxes configured with the switch on. In fact, I know a few people who used to configure their machines with just a root user. Well, maybe security awareness has risen a bit since that time.