The 9.8 (2018-12) server release introduced support for “de-elevation”. De-elevation means that the exacqVision Server services run at lowered operating system privilege levels. In a theoretical case of a security breach or vulnerability where an attacker could somehow inject code to be executed under the guise of the server, that code will not be able to run at a privileged level, and in turn the operating system will block its execution.
This note is intended to document the various differences between an elevated (legacy) and de-elevated system, as well as any necessary adjustments to our standard Support/troubleshooting procedures.
Windows:
All exacq services run as Network Service instead of Local System.
Linux/m-Series:
Our installer creates a low-privilege “edvrserver” user and group.
All exacq services run as “edvrserver” instead of root.
Edge:
De-elevation is not supported, so no change.
Server files (including logs, audit, config XML, etc.) will be inaccessible unless you are an
administrative OS user, regardless whether server is elevated or de-elevated.
This also means that when you upgrade an older server, permissions will be automatically tightened on the corresponding directories.
If you manually change permissions on any of these directories for any reason, they will be re-tightened on restarting the service.
In Linux, you can also prefix commands with “sudo” to access these files and/or directories.
Requesting support exports:
With remote clients should be unaffected.
With local clients, core dump files will not be included unless the client is running as an administrative OS user.