[
https://issues.apache.org/jira/browse/TS-3103?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
James Peach updated TS-3103:
----------------------------
Fix Version/s: 5.2.0
Assignee: James Peach (was: Leif Hedstrom)
> improve privilege elevation
> ---------------------------
>
> Key: TS-3103
> URL: https://issues.apache.org/jira/browse/TS-3103
> Project: Traffic Server
> Issue Type: Improvement
> Components: Core, Security
> Reporter: James Peach
> Assignee: James Peach
> Fix For: 5.2.0
>
>
> Improve privilege elevation so that we have a single function that alters
> process credentials, and does it correctly.
> Here is the behavior I plan to implement:
> 1. traffic_manager runs with real root credentials, but
> effective credentials as given by proxy.config.admin.user_id.
> It will elevate back to root to perform privileged operations.
> 2. traffic_server is started with real root credentials,
> but attempts to permanently drop to an unprivileged user early
> in the startup process. The unprivileged user account for
> traffic_server is also given by proxy.config.admin.user_id.
> when traffic_server drops privilege, it does so permanently.
> 3. traffic_server may elevate privilege depending on the
> value of proxy.config.ssl.cert.load_elevated and
> proxy.config.plugin.load_elevated. This elevation will only
> be supported on platforms that have per-thread capabilities.
> traffic_server will check at startup whether to retain
> sufficient capabilities to allow it to elevate later. This
> means that the *.load_elevated configurations will not be
> reloadable.
> 4. After traffic_server drops privilege, we will continue to abort
> with a fatal error if the real or effective user ID is root. This
> behavior can be avoided by defining BIG_SECURITY_HOLE=1 at build
> time.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
