We'd like to restart the timer on this case.  The restarted
timer expires 29 April 2009.

Darren raised some concerns about privilege escalation and
suggested a possible avenue to addressing those concerns
(using /etc/security/exec_attr and pfexec to control the
execution environment of the program executed), but that
avenue did not work out.

We have simplified the specification - we now explicitly give the
program all privileges, rather than a large (and for practical
purposes omnipotent) set.  We have clarified it, specifying the
exact FMRI and property group that will store the properties, and
the authorization that will most directly allow a user to edit
those properties.

Our discussions with Darren mentioned requiring that the user
be root and have all privileges in order to set these values, but
that is not a practical restriction for data that is stored in
SMF - SMF defines authorizations that allow near-total control
over its activities, including the ability to change any property
on any service in the system (solaris.smf.modify), which is
clearly omnipotent.  (Consider, for instance, the ability
to change the properties that represent the command to be run
to start a service.)

Inspection of the existing properties that can be modified
using solaris.smf.modify.application suggests that although it
is not clear that one can directly escalate privilege to
omnipotence, one can certainly muck up the system with it.

Given the limitations of the problem ...

     - That it is desirable to offer the user unrestricted
       control over the system in the program to be executed,
       and
     - That it is desirable to store the configuration data in
       SMF properties,
       and
     - The available SMF and RBAC expertise

... we believe that this is the best solution available.

Minor variations are possible.  We could rearrange things
so as to change exactly which SMF-related authorizations
could be used to configure this feature.  (But note that
some of the high-level SMF authorizations have global effect,
and will be usable to control our properties no matter what
we do.)

The essence would remain, though:  there would be some set
of authorizations which could be used to achieve total
control over the system.  Those could be existing authorizations
that *already* allow substantial or total control, or could be
fine-grained new authorizations that allowed total control
only through this mechanism.

All that said, below are some diffs, and then the full
specification.

27,31c27,29
<     In order to configure properties using sharectl(1M), a user must
<     be the superuser or assume an equivalent role to obtain the
<     solaris.smf.value.smb and solaris.smf.manage.smb RBAC
<     authorizations, or use the SMB Management RBAC profile, which
<     is part of the File System Management profile.
---
 >     In order to configure these properties using sharectl(1M), a user
 >     must be the superuser or assume an equivalent role to obtain the
 >     solaris.smf.modify.application RBAC authorization.
38,44c36
<     The following privileges are enabled for the exec'd process:
<     PRIV_FILE_CHOWN, PRIV_FILE_CHOWN_SELF, PRIV_FILE_DAC_EXECUTE,
<     PRIV_FILE_DAC_READ, PRIV_FILE_DAC_SEARCH, PRIV_FILE_DAC_WRITE,
<     PRIV_FILE_LINK_ANY, PRIV_FILE_OWNER, PRIV_FILE_SETID,
<     PRIV_PROC_EXEC, PRIV_PROC_FORK, PRIV_PROC_INFO, PRIV_PROC_OWNER,
<     PRIV_PROC_SESSION, PRIV_PROC_SETID, PRIV_SYS_CONFIG,
<     PRIV_SYS_LINKDIR, and PRIV_SYS_MOUNT.
---
 >     All privileges are enabled for the exec'd process.
45a38,40
 >     These properties are stored in SMF(5) in the
 >     svc:/network/smb/server:default service under the exec property group.
 >

1. Introduction
      1.1. Project/Component Working Name:
           SMB/CIFS share exec properties
      1.2. Name of Document Author/Supplier:
           Author:  Hoa Nguyen
      1.3  Date of This Document:
           20 March, 2009

      A patch binding is requested for this change.
      This is a Committed interface.

4. Technical Description

     This fast-track proposes new service properties to support the
     execution of a command or script when connecting or disconnecting
     CIFS shares.  These properties are configurable with sharectl(1M)
     and will be applied to all shares.  The command may be used to
     perform automated administrative tasks each time a share is mapped
     or disconnected, for example, to create home directories or monitor
     resources.  The command will be executed using the credentials of
     the smbd daemon, which, by default, is root/sys.  The command
     will be executed using one of the exec() functions.  The content
     of the environment is not specified.

     See also 6766364 Add scripting support to Autohome.

     In order to configure these properties using sharectl(1M), a user
     must be the superuser or assume an equivalent role to obtain the
     solaris.smf.modify.application RBAC authorization.

     Additional privileges are required to allow the smbd process to
     fork a child process and execute the commands.  The privileges
     will be enabled in the effective set and inheritable set when
     needed for command execution.  Otherwise, they will be disabled.

     All privileges are enabled for the exec'd process.

     These properties are stored in SMF(5) in the
     svc:/network/smb/server:default service under the exec property group.

     The service property names and values are as follows:

     map        The value is a command to be executed when connecting
             to the share.  The command can take the following
             arguments, which will be substituted when the command
             is exec'd as described below.

             %U - Windows username.

             %D - Name of the domain or workgroup of %U.

             %h - The server hostname.

             %M - The client hostname, or "" if not available.

             %L - The server NetBIOS name.

             %m - The client NetBIOS name, or "" if not available.
             This option is only valid for NetBIOS connections
             (port 139).

             %I - The IP address of the client machine.

             %i - The local IP address to which the client is
             connected.

             %S - The name of the share.

             %P - The root directory of the share.

             %u - The UID of the Unix user.

     unmap        The value is a command to be executed when
             disconnecting the share.  The command can take the
             same substitutions listed on the map property.

     disposition    A value that controls whether to disconnect the share
             or proceed if the map command fails.  The disposition
             property only has meaning when the map property has
             been set.  Otherwise it will have no effect.

             disposition = [ continue | terminate ]

             continue    Proceed with share connection if the
                     map command fails.  This is the default
                     in the event that disposition is not
                     specified.

             terminate    Disconnect the share if the map
                     command fails.

     Examples of setting these properties with sharectl(1M):

         sharectl  set -p map="/tmp/map_script %U" smb
         sharectl  set -p unmap=/tmp/unmap_script smb
         sharectl  set -p disposition=terminate smb

     For example,

         sharectl  set -p map="/tmp/map_script %U" smb

     would be invoked with arguments of the form:

         arg0 = /tmp/map_script
         arg1 = <Windows username>
         arg2 = NULL

6. Resources and Schedule
      6.4. Steering Committee requested information
         6.4.1. Consolidation C-team Name:
         ON
      6.5. ARC review type: FastTrack
      6.6. ARC Exposure: open



Reply via email to