Additional security in AXIS OS and ACAP applications

Axis is planning to introduce signing of ACAP applications as default and remove root-privileged access in future AXIS OS releases.

In upcoming AXIS OS releases, Axis will introduce additional security measures in AXIS OS and ACAP applications. Starting from AXIS OS 12.0, scheduled for Q3 2024, it will only be possible to install signed ACAP applications in Axis devices by default and the ability for root-privileged access will be removed.

New functionality will first be introduced on the AXIS OS active track. Over time the added functionality will be enabled by default in the firmware but include the ability to disable for specific use cases and development purposes. From AXIS OS 12.0 it will no longer be possible to disable certain functionality.

The removal of root-privileged access will affect ACAP applications that are using "root" for the user and group, or applications that are dependent on root-privileged access. Changes will be gradually introduced on the AXIS OS active track to give ACAP application developers time to adapt applications that are not developed according to Axis recommended  "sdk” APPGRP (The group which the application belongs to) and the “sdk” APPUSR (the user the application will run as). The ability to disable certain functionality will be included in the AXIS OS Long-term support (LTS) track 2024, which will be supported until 2029.

In AXIS OS 12.0 the following changes will be fully implemented:

• ACAP applications will not be able to run with root privileges but will instead be run as “sdk” or dedicated own user.
• ACAP Install- and Uninstall-script will not be able to run with root-privileges.
• It will only be possible to install signed ACAP applications in Axis devices by default.
• A user that may be named “root”, created upon first installation will no longer have root-privileges.
• SSH users will no longer have root privileges.

• There will be no possibility for any user or ACAP application to login with root-privileges. This will for example ensure protection of data and the integrity of technical architecture if several ACAP applications and system services are running on the same device.
• By signing an ACAP package you can make sure that the content of the package is not tampered with between the release and installation on the Axis device.

This schedule is preliminary and both timing and included features are subject to change as work progresses.

AXIS OS 11.2 (January 2023)

• ACAP signing can be enabled through parameter.
   

AXIS OS 11.5 (Planned for June 2023)

• VAPIX/Web Access: The user “root” is an ordinary administrator.
• ACAP Privileges: Root privileges can be disabled.
   

AXIS OS 11.6 (Planned for September 2023)

• SSH Access: Root user access can be disabled.
   

AXIS OS 11.8 (Planned for January 2024)

• SSH Access: Root user access is disabled by default but can be enabled.
• ACAP Privileges: Root privileges is disabled by default but can be enabled.
   

AXIS OS 11.x (Planned for Q3 2024)

• Axis devices only accept installation of signed ACAP applications by default. Devices can be configured to accept unsigned applications.
   

AXIS OS LTS 2024 (Planned for H2 2024)

Support: 2024-2029. Can be used as a stop-gap solution until an ACAP application is fully adapted.

• SSH Access: Root user access is disabled by default but can be enabled.
• ACAP Privileges: Root privileges is disabled by default but can be enabled.
   

AXIS OS 12.0 (Planned for H2 2024)

• SSH Access: Root user access removed and cannot be enabled.
• ACAP Privileges: ACAP applications cannot run with root-user permissions.
   

VAPIX/Web interface

User privileges over VAPIX will go unchanged since any admin account will be able to perform all configuration-related tasks as of today. It is recommended to create dedicated admin-accounts or operator/viewer accounts and avoid using the current root account as outlined in the AXIS OS Hardening Guide.

All features will still be accessible and configurable through the web interface of the device.

SSH

User root over SSH will be disallowed. It will be replaced by a customer defined user with more limited access privileges.

Creating a “root”-user

It will still be possible to create a user named “root”, but the user will only have administrator privileges.

ACAP application development

ACAP applications will not be allowed to run with root privileges but will be required to define a user with limited privileges. Privileges can be expanded through explicit definition in ACAP manifest. For future-proofing your ACAP application and for additional security, we recommend that you specify it to run as a generated dynamic user in the manifest.json schema. A static named user will still be supported in AXIS OS 12.0, but the option may be removed at a later point.

Recommended testing for ACAP applications

Starting from AXIS OS 11.5 (June 2023), it will be possible to test your ACAP applications with root-privileged access removed. Testing can be performed by toggling ‘allow root-privileged apps' in the product web interface. Please check the VAPIX Library for instructions on how to use the toggle. By testing this functionality, you can ensure that your applications work as expected with root-privileged access removed. Please refer to the feedback and support section at the end of this guide if you have any questions or feedback.

Signing ACAP applications

Users will only be able to install signed ACAP applications in Axis devices per default. During the signing process, a signature is added at the end of the application package. The signature is verified by the device when installing the ACAP application.

• Partners in the Axis Technology Integration Partner Program can use the ACAP Service Portal to sign ACAP applications.
• ACAP application developers that develop applications for own use can temporarily allow installation of unsigned ACAP applications.
   

ACAP applications already installed on a device

Any signed or unsigned ACAP applications already installed on an Axis device will continue to work as before even if the device is upgraded to an AXIS OS version that require ACAP signing by default. If a device is reset to factory default, or an unsigned ACAP application needs to be reinstalled on the device, the ACAP application will need to be signed or the device will need to be temporarily configured to allow installation of unsigned ACAP applications.

Installing unsigned ACAP applications

It will be possible to temporarily allow installation of unsigned ACAP applications by actively configuring a device to accept unsigned applications through the web interface of the device or using a VAPIX API. (Available from AXIS OS 11.2). AXIS Device Manager 5 can be used to configure several products at the same time.

Allowing installation of unsigned applications can be useful during development and testing. It is also an option if you develop your own ACAP application, or if you need to install an unsigned ACAP application from a vendor you trust for a specific use case. Once you are done with testing and have installed an unsigned ACAP application as needed, it is recommended that you configure your device to only allow installation of signed ACAP applications again.

• As a partner in the Axis Technology Integration Partner Program, please submit any questions and feedback to the development helpdesk.
• If you have a use case where certain functionality used by an ACAP application currently requires root-user permissions or have a question about ACAP application signing, please contact us at acap-privileges@axis.com.