Kacheong Poon wrote:
yifan wrote:
http://www.opensolaris.org/os/project/vrrp/vrrp_design.pdf
In 9.2 of the above doc, it mentions that because the state
transition executable may be "used to protect other services,
it's very likely to manipulate other programs or SMF services,"
hence it needs to be executed by root. Why's that? For
example, suppose the executable is run with the basic user
privileges and the user is "vrrp." And a service X needs to be
notified when a VRRP instance state transition happens so that
it will do something which requires, say all privileges. Will
the following work?
1. X creates some IPC channel (say a UNIX domain socket) waiting
for state transition notification.
2. When the VRRP state transition executable runs, it talks to
X via the IPC.
3. X checks the credential of the peer and makes sure that its
uid is vrrp.
4. X does whatever it needs to do using whatever privileges it
has already.
The above does not require the executable to be run by root.
And if the executable does not need to be run by root, does
vrrpd need to be run by root?
This scheme should work without requiring vrrpd to run as
root. But there are some limitations. It implies that only
services that run as a daemon could utilize the notification.
For example, if an administrator wanted to enable forwarding
only when the VRRP turns into master state, an executable is
required to do "svcadm enable/disable ipv4-forwarding" or
"ndd -set /dev/ip ip_forwarding 1/0". Another requirement
for this scheme is the services should be aware of the
notification interface and make some changes to exploit it.
To make it flexible and easy to use we prefer the simple
solution of raising the security threshold to allow all kinds
of actions, because privileges required for various executions
are unpredictable. Opinions?
Yifan
_______________________________________________
networking-discuss mailing list
[email protected]
