Axis is planning to introduce signing of ACAP applications as default and remove root-privileged access in future AXIS OS releases.
In upcoming AXIS OS releases, Axis will introduce additional security measures in AXIS OS and ACAP applications. Starting from AXIS OS 12.0, scheduled for Q3 2024, it will only be possible to install signed ACAP applications in Axis devices by default and the ability for root-privileged access will be removed.
New functionality will first be introduced on the AXIS OS active track. Over time the added functionality will be enabled by default in the firmware but include the ability to disable for specific use cases and development purposes. From AXIS OS 12.0 it will no longer be possible to disable certain functionality.
The removal of root-privileged access will affect ACAP applications that are using "root" for the user and group, or applications that are dependent on root-privileged access. Changes will be gradually introduced on the AXIS OS active track to give ACAP application developers time to adapt applications that are not developed according to Axis recommended "sdk” APPGRP (The group which the application belongs to) and the “sdk” APPUSR (the user the application will run as). The ability to disable certain functionality will be included in the AXIS OS Long-term support (LTS) track 2024, which will be supported until 2029.
In AXIS OS 12.0 the following changes will be fully implemented:
See the preliminary release schedule on this page for more details on how functionality is planned to be introduced over time.
This schedule is preliminary and both timing and included features are subject to change as work progresses.
AXIS OS 11.2 (January 2023)
AXIS OS 11.5 (Planned for June 2023)
AXIS OS 11.6 (Planned for September 2023)
AXIS OS 11.8 (Planned for January 2024)
AXIS OS 11.x (Planned for Q3 2024)
AXIS OS LTS 2024 (Planned for H2 2024)
Support: 2024-2029. Can be used as a stop-gap solution until an ACAP application is fully adapted.
AXIS OS 12.0 (Planned for H2 2024)
VAPIX/Web interface
User privileges over VAPIX will go unchanged since any admin account will be able to perform all configuration-related tasks as of today. It is recommended to create dedicated admin-accounts or operator/viewer accounts and avoid using the current root account as outlined in the AXIS OS Hardening Guide.
All features will still be accessible and configurable through the web interface of the device.
SSH
User root over SSH will be disallowed. It will be replaced by a customer defined user with more limited access privileges.
Creating a “root”-user
It will still be possible to create a user named “root”, but the user will only have administrator privileges.
ACAP application development
ACAP applications will not be allowed to run with root privileges but will be required to define a user with limited privileges. Privileges can be expanded through explicit definition in ACAP manifest. For future-proofing your ACAP application and for additional security, we recommend that you specify it to run as a generated dynamic user in the manifest.json schema. A static named user will still be supported in AXIS OS 12.0, but the option may be removed at a later point.
Recommended testing for ACAP applications
Starting from AXIS OS 11.5 (June 2023), it will be possible to test your ACAP applications with root-privileged access removed. Testing can be performed by toggling ‘allow root-privileged apps' in the product web interface. Please check the VAPIX Library for instructions on how to use the toggle. By testing this functionality, you can ensure that your applications work as expected with root-privileged access removed. Please refer to the feedback and support section at the end of this guide if you have any questions or feedback.
Signing ACAP applications
Users will only be able to install signed ACAP applications in Axis devices per default. During the signing process, a signature is added at the end of the application package. The signature is verified by the device when installing the ACAP application.
ACAP applications already installed on a device
Any signed or unsigned ACAP applications already installed on an Axis device will continue to work as before even if the device is upgraded to an AXIS OS version that require ACAP signing by default. If a device is reset to factory default, or an unsigned ACAP application needs to be reinstalled on the device, the ACAP application will need to be signed or the device will need to be temporarily configured to allow installation of unsigned ACAP applications.
It is not possible to differentiate signed and unsigned ACAP applications on a device once installed.
Installing unsigned ACAP applications
It will be possible to temporarily allow installation of unsigned ACAP applications by actively configuring a device to accept unsigned applications through the web interface of the device or using a VAPIX API. (Available from AXIS OS 11.2). AXIS Device Manager 5 can be used to configure several products at the same time.
Allowing installation of unsigned applications can be useful during development and testing. It is also an option if you develop your own ACAP application, or if you need to install an unsigned ACAP application from a vendor you trust for a specific use case. Once you are done with testing and have installed an unsigned ACAP application as needed, it is recommended that you configure your device to only allow installation of signed ACAP applications again.
Any installed unsigned ACAP applications will continue to work even if you configure a device to not allow installation of unsigned ACAP applications.