Skip to main content
Topic: What is group sgx (999)? (Read 100 times) previous topic - next topic
0 Members and 3 Guests are viewing this topic.

What is group sgx (999)?

After the recent update a new system group sgx was added. As it is not in the arch linux doc, what is it about? Is it legit? What program installs it?
Code: [Select]
[2021-04-06T20:32:55+0200] [ALPM] running '20-sysusers.hook'...
[2021-04-06T20:32:55+0200] [ALPM-SCRIPTLET] Creating group sgx with gid 999.
The file that installs the group is 20-sysusers.hook, but when I search for the esysusers package that contains it, I get "No matching packages found". Please update your database.

I'd prefer control over the groups I add. I don't user software guard extensions (if that's what it is about), it is disabled in my BIOS and in my kernel.

It is a split package, part of xudev.

 From xudev/src/systemd-stable/NEWS (I had to download the entire source for this):

* Intel SGX enclave device nodes (which expose a security feature of
  newer Intel CPUs) will now be owned by a new system group "sgx".

According to my search, Intel SGX may be a security risk:

There is more. As I said, I disabled it, and I want a choice of adding groups or not.

Edit: Is this relevant for esysusers, or elogind, or the soon-to-come xudev?

* /dev/ is not mounted noexec anymore. This didn't provide any
  significant security benefits and would conflict with the executable
  mappings used with /dev/sgx device nodes. The previous behaviour can
  be restored for individual services with NoExecPaths=/dev (or by allow-
  listing and excluding /dev from ExecPaths=).

This should probably go into logind.conf. According to /proc/mounts, my /dev is
dev /dev devtmpfs rw,nosuid,relatime,size=10240k,nr_inodes=944475,mode=755 0 0

This is the first time I learn that it could be mounted noexec.

Re: What is group sgx (999)?

Reply #1
There are many groups installed by default in any Artix installation and many more that can be added depending on the packages you install. esysusers creates those groups based on sysusers.d files that come with the packages. The package in this case is eudev (or xudev) which creates the sgx group. You're probably not going to get very far without some kind of udev on your system, so whatever udev adds isn't really optional.

I only briefly glanced at the article but the vulnerability in question has to do with a feature that exists in the actual CPU itself. Whether or not a group named "sgx" exists on a random GNU/Linux system has nothing to do with it. The only protection appears to be certain compiler flags. Or don't use intel as your processor.

Re: What is group sgx (999)?

Reply #2
too much panic for nothing, my friend....


Re: What is group sgx (999)?

Reply #3
@OP: In general, adding a new user/group, usually with nonroot privileges and reserved for use by a service, is better for security than running the service as root.