Service Credential and Privilege Map

The goal of this section is to document the credential and privilege requirements for services used by the Immutable Service Container project. Note that the credentials and privileges listed here may differ from what is available by default in the Solaris OS. Where possible, RFEs are filed to account for the discrepancy.

Web Servers

# Distribution Name User Group Privileges Notes
1 Solaris Apache 2 webservd webservd proc_fork, proc_exec, net_privaddr Note 1, Note 2
2 Coolstack Apache 2 webservd webservd proc_fork, proc_exec, net_privaddr Note 1, Note 2
3 Open Source Lighttpd TBD TBD TBD TBD
4 Coolstack Lighttpd TBD TBD TBD TBD

Web Proxy Servers

# Distribution Name User Group Privileges Notes
1 Solaris Apache 2 webservd webservd proc_fork, proc_exec, net_privaddr Note 1, Note 2
2 Coolstack Apache 2 webservd webservd proc_fork, proc_exec, net_privaddr Note 1, Note 2
3 Solaris Squid TBD TBD TBD TBD
4 Coolstack Squid TBD TBD TBD TBD

Memory Cache Servers

# Distribution Name User Group Privileges Notes
1 Solaris Memcached memcached memcached proc_fork, proc_exec Note 3, Note 7

Database Servers

# Distribution Name User Group Privileges Notes
1 Solaris MySQL mysql mysql proc_fork, proc_exec N/A
2 Coolstack MySQL TBD TBD TBD TBD

Load Balancers

# Distribution Name User Group Privileges Notes
1 Open Source pen pen pen proc_fork, net_privaddr Note 1, Note 7

DNS Servers

# Distribution Name User Group Privileges Notes
1 Solaris BIND bind bind file_dac_read, net_privaddr, proc_exec, proc_fork, sys_resource N/A

Time Servers

# Distribution Name User Group Privileges Notes
1 Solaris NTP root ntp net_privaddr, proc_fork, proc_lock_memory, sys_resource Note 4, Note 5, Note 7

System Log Servers

# Distribution Name User Group Privileges Notes
1 Solaris Syslog root root net_privaddr, proc_exec, proc_fork, sys_mount Note 6

Notes

  • Note 1: This service only requires net_privaddr when it is configured to bind to a privileged network port (one that is <1024).
  • Note 2: This service may require proc_exec, but the requirement is configuration dependent. If this service is running CGI or other external programs, proc_exec is needed.
  • Note 3: This service does not use any Solaris privileges. The privileges listed are needed as a result of how the service is delivered in Solaris and executed by the Service Management Framework. An RFE has been created to make this service privilege aware.
  • Note 4: This service must be run as the root user due to a restriction in the software.
  • Note 5: As written, this service lacks the privileges to set the clock of the actual system when run from within a non-global zone. Add the proc_priocntl and sys_time privileges if this functionality is needed.
  • Note 6: This service requires net_privaddr to bind to a privileged port, sys_mount to mount the /etc/.syslog_door, and proc_exec to execute the /usr/bin/m4 program to parse its configuration file.
  • Note 7: The invocation of this service (within its service method) can be tailored (using ppriv(1)) to run without proc_exec.

Privileges & SMF

A service can be configured to only run with a limited set of privileges and/or to run as a specific user or group (uid/gid) by specifying a method_context(see smf_method(5)).

If a profile is specified and use_profile is enabled and the method executable is listed in the exec_attr(4) the attributes specified therein will be used when executing the corresponding method.

If use_profile is not enabled the settings for user, group, and privileges will be used.

If no user is specified or if the user is root the corresponding method will be started as the root user, with privileges as specified. In this case the Executable, Inheritable, and Permitted sets will all be populated with what was specified in the privileges field.

If no user is specified or it is root and no privileges are specified then the Effective,Permitted, and Limit sets are given the maximum available set of privileges ("All" in the global zone or "Zone" in a non-global zone). The Inheritable privilege set is set to Basic.

If a non-root user is specified but no privileges are given then the Limit set is "All" (or "Zone" in non-global zones), and Inheritable, Permitted, and Effective are set to Basic.

Now, it may be desirable to run the start or stop method with more privileges than the actual service-providing daemon. This is possible by having the startup method dropping its privileges before it invokes or as it invokes the daemon. To do this for services that run as root requires that first the Inheritable set is populated before the daemon is invoked:

Example: dropping proc_exec
#!/bin/ksh
# The initialisation of the service goes here

/usr/bin/ppriv -s $(print I=$(ppriv -S $$ | nawk -F": " '/P:/ { print $2 }') $$
/usr/bin/ppriv -e -s L-proc_exec /path/to/the/daemon

Caveat Do note that this relies on Uncommitted output, so (though the chance is small that this will be changed) this may break. A Change Request (6355756) has been filed to permit the use of keywords to refer to a process' own permitted set etc.

Services that run as a normal user or as the root account but with privileges set in the privileges field in the method_context don't need this modification, as there the set is already populated, so the standard ppriv(1) options suffice:

Example: dropping proc_exec (2)
/usr/bin/ppriv -e -s L-proc_exec /path/to/the/daemon
  • Note Dropping privileges from one's own Permitted set or from the permitted set of a child process (ppriv e -s P...) does not seem to work as expected. Once it is clear why this is so a Change Request will be filed and this section will be updated.
  • Note Removing proc_exec from a service that uses isaexec(3C) to invoke the platform-optimised version causes the service not to start: the binary that uses isaexec(3C) ends up calling execve(3C) but is no longer permitted to do so, lacking the privilege for it. There is a workaround for those platform optimised services that use /usr/lib/isaexec, but other similar tools are not handled:
"Workaround permitting isaexec applications to run without proc_exec"
#!/bin/ksh
#
# This script executes a given command with any arguments specified
# but strips away one or more privileges from its limit set.
# It will check if an executable is actually a link to /usr/lib/isaexec
# and if so will expand the name itself before running it, so that things
# work as expected. This, however, only works for hardlinked files. Binaries
# that are a copy of isaexec will not trigger this behaviour, so they will
# probably not be run correctly.
#

# This can be set to be the privilege(s) that need to be removed
# the syntax is as "privsetspec" (see ppriv(1) and priv_str_to_set(3C))
forbiddenprivs='proc_exec'

##########################################################################
if [ $# -ge 1 ]; then
        # Full path?
        if [ $(/usr/bin/basename ${1}) != ${1} ]; then
                executable=${1}
        else
                executable=$(which ${1})
        fi
        # Executable?
        if [ -x ${executable} ]; then
                :
        else
                print "${1} is not executable."
                return 1
        fi
        # isaexec? (only works for things that live on same fs as /usr)
        if [ $(/usr/bin/ls -i /usr/lib/isaexec | nawk -F" " '{print $1}') -eq $(/usr/bin/ls -i ${executable} | nawk -F" " '{print $1}') ]; then
                # same
                for i in $(/usr/bin/isalist); do
                        if [ -x $(/usr/bin/dirname ${executable})/$i/$(/usr/bin/basename ${executable}) ]; then
                                # execute the command
                                /usr/bin/ppriv -s $(print I=$(/usr/bin/ppriv -S $$ | /usr/bin/nawk -F": " '/P:/ { print $2 }')) $$
                                shift 1
                                exec /usr/bin/ppriv -e -s L-proc_exec  $(/usr/bin/dirname ${executable})/$i/$(/usr/bin/basename ${executable} ) $@
                        fi
                done
        fi
        # Set Inheritable to be the max possible and exec the thing
        /usr/bin/ppriv -s $(print I=$(/usr/bin/ppriv -S $$ | /usr/bin/nawk -F": " '/P:/ { print $2 }')) $$
        exec /usr/bin/ppriv -e -s L-proc_exec $@
else
        print "Usage: $(/usr/bin/basename $0) command [ options ] "
fi
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

Sign up or Log in to add a comment or watch this page.


The individuals who post here are part of the extended Sun Microsystems community and they might not be employed or in any way formally affiliated with Sun Microsystems. The opinions expressed here are their own, are not necessarily reviewed in advance by anyone but the individual authors, and neither Sun nor any other party necessarily agrees with them.

Copyright 1994-2009 Sun Microsystems, Inc.
Powered by Atlassian Confluence Sun Guidelines on Public Discourse Privacy Policy Terms of Use Trademarks Site Map Employment Investor Relations Contact