Folks,
small write-up on profiles, authorizations and privileges related to
ipadm(1M). Please comment, if you have any questions.
changes to prof_attr(4)
-----------------------
We will be using the existing 'Network Management' profile which is
already defined in prof_attr(4) database. The purpose of this profile,
as defined in /etc/security/prof_attr/ is to "Manage the host and
network configuration", which clearly fits our bill of network interface
configuration.
changes to auth_attr(4)
-----------------------
None of the authorizations defined in /etc/security/auth_attr seem to
suffice for us. They are mostly related to nwam, reading/writing
/etc/hosts, link security and wifi configuration. We would like to
introduce following authorizations
"solais.network.interface."
Network interface configuration. Note this is not assigned to a user and
is used as a heading.
"solaris.network.interface.write"
Allows modifying network interfaces (verified in library, libipadm.so.1)
"solaris.network.interface.read"
Allows viewing of interface configurations (verified in library,
libipadm.so.1)
These authorizations will be registered in auth_attr(4).
The profile, Basic Solaris User, will have the
solaris.network.interface.read authorization.
changes to exec_attr(4) and privileges(5)
-----------------------------------------
ipadm(1M) would need 'sys_ip_config' privilege to configure system's IP
interfaces and to configure network parameters/tunables. Further,
ipadm(1M) would also need 'file_dac_write' to write to ipadm repository,
maintained at '/etc/ipadm/ipadm.conf', via library libipadm.so.1.
Only ipadm(1M) would need 'file_dac_write' privilege. And we would
update exec_attr, for profile Network Management, as shown below.
Network Management:solaris:cmd:::/sbin/ipadm:euid=ipadm;egid=sys;
privs=sys_ip_config,file_dac_write.
Above entry implies that only for those users who have Network
management profile, ipadm would execute with extra privilege of
sys_ip_config and file_dac_write
Other consumers, who will linking into libipadm.so.1 in the first phase
of the project, already run with uid=0 or has 'file_dac_write'
privilege. So we should have no issues making them use our library.
For example:
------------
ifconfig -> Network Management:solaris:cmd:::/sbin/ifconfig:uid=0
nwamd ->
~~~~~~~~~~~~~~~~~~~~~~~
bash-3.2# ppriv `pgrep nwam`
101151: /lib/inet/nwamd
flags = PRIV_AWARE
E: basic,file_chown_self,file_dac_read,file_dac_write,
net_privaddr, net_rawaccess,proc_audit,proc_owner,proc_setid,sys_config,
sys_ip_config, sys_ipc_config,sys_net_config,sys_res_config,sys_resource
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
rcm_daemon -> need to be root to run
~~~~~~~~~~~~~~~~~~~~~~~~
ppriv `pgrep rcm_daemon`
141841: ./rcm_daemon
flags = <none>
E: all
~~~~~~~~~~~~~~~~
'proc_audit' privilege would be deferred for now and would be tracked as
a RFE.
please let us know if anybody has any comments.
thanks
~Girish
