We'd like to restart the timer on this case. The restarted timer expires 29 April 2009.
Darren raised some concerns about privilege escalation and suggested a possible avenue to addressing those concerns (using /etc/security/exec_attr and pfexec to control the execution environment of the program executed), but that avenue did not work out. We have simplified the specification - we now explicitly give the program all privileges, rather than a large (and for practical purposes omnipotent) set. We have clarified it, specifying the exact FMRI and property group that will store the properties, and the authorization that will most directly allow a user to edit those properties. Our discussions with Darren mentioned requiring that the user be root and have all privileges in order to set these values, but that is not a practical restriction for data that is stored in SMF - SMF defines authorizations that allow near-total control over its activities, including the ability to change any property on any service in the system (solaris.smf.modify), which is clearly omnipotent. (Consider, for instance, the ability to change the properties that represent the command to be run to start a service.) Inspection of the existing properties that can be modified using solaris.smf.modify.application suggests that although it is not clear that one can directly escalate privilege to omnipotence, one can certainly muck up the system with it. Given the limitations of the problem ... - That it is desirable to offer the user unrestricted control over the system in the program to be executed, and - That it is desirable to store the configuration data in SMF properties, and - The available SMF and RBAC expertise ... we believe that this is the best solution available. Minor variations are possible. We could rearrange things so as to change exactly which SMF-related authorizations could be used to configure this feature. (But note that some of the high-level SMF authorizations have global effect, and will be usable to control our properties no matter what we do.) The essence would remain, though: there would be some set of authorizations which could be used to achieve total control over the system. Those could be existing authorizations that *already* allow substantial or total control, or could be fine-grained new authorizations that allowed total control only through this mechanism. All that said, below are some diffs, and then the full specification. 27,31c27,29 < In order to configure properties using sharectl(1M), a user must < be the superuser or assume an equivalent role to obtain the < solaris.smf.value.smb and solaris.smf.manage.smb RBAC < authorizations, or use the SMB Management RBAC profile, which < is part of the File System Management profile. --- > In order to configure these properties using sharectl(1M), a user > must be the superuser or assume an equivalent role to obtain the > solaris.smf.modify.application RBAC authorization. 38,44c36 < The following privileges are enabled for the exec'd process: < PRIV_FILE_CHOWN, PRIV_FILE_CHOWN_SELF, PRIV_FILE_DAC_EXECUTE, < PRIV_FILE_DAC_READ, PRIV_FILE_DAC_SEARCH, PRIV_FILE_DAC_WRITE, < PRIV_FILE_LINK_ANY, PRIV_FILE_OWNER, PRIV_FILE_SETID, < PRIV_PROC_EXEC, PRIV_PROC_FORK, PRIV_PROC_INFO, PRIV_PROC_OWNER, < PRIV_PROC_SESSION, PRIV_PROC_SETID, PRIV_SYS_CONFIG, < PRIV_SYS_LINKDIR, and PRIV_SYS_MOUNT. --- > All privileges are enabled for the exec'd process. 45a38,40 > These properties are stored in SMF(5) in the > svc:/network/smb/server:default service under the exec property group. > 1. Introduction 1.1. Project/Component Working Name: SMB/CIFS share exec properties 1.2. Name of Document Author/Supplier: Author: Hoa Nguyen 1.3 Date of This Document: 20 March, 2009 A patch binding is requested for this change. This is a Committed interface. 4. Technical Description This fast-track proposes new service properties to support the execution of a command or script when connecting or disconnecting CIFS shares. These properties are configurable with sharectl(1M) and will be applied to all shares. The command may be used to perform automated administrative tasks each time a share is mapped or disconnected, for example, to create home directories or monitor resources. The command will be executed using the credentials of the smbd daemon, which, by default, is root/sys. The command will be executed using one of the exec() functions. The content of the environment is not specified. See also 6766364 Add scripting support to Autohome. In order to configure these properties using sharectl(1M), a user must be the superuser or assume an equivalent role to obtain the solaris.smf.modify.application RBAC authorization. Additional privileges are required to allow the smbd process to fork a child process and execute the commands. The privileges will be enabled in the effective set and inheritable set when needed for command execution. Otherwise, they will be disabled. All privileges are enabled for the exec'd process. These properties are stored in SMF(5) in the svc:/network/smb/server:default service under the exec property group. The service property names and values are as follows: map The value is a command to be executed when connecting to the share. The command can take the following arguments, which will be substituted when the command is exec'd as described below. %U - Windows username. %D - Name of the domain or workgroup of %U. %h - The server hostname. %M - The client hostname, or "" if not available. %L - The server NetBIOS name. %m - The client NetBIOS name, or "" if not available. This option is only valid for NetBIOS connections (port 139). %I - The IP address of the client machine. %i - The local IP address to which the client is connected. %S - The name of the share. %P - The root directory of the share. %u - The UID of the Unix user. unmap The value is a command to be executed when disconnecting the share. The command can take the same substitutions listed on the map property. disposition A value that controls whether to disconnect the share or proceed if the map command fails. The disposition property only has meaning when the map property has been set. Otherwise it will have no effect. disposition = [ continue | terminate ] continue Proceed with share connection if the map command fails. This is the default in the event that disposition is not specified. terminate Disconnect the share if the map command fails. Examples of setting these properties with sharectl(1M): sharectl set -p map="/tmp/map_script %U" smb sharectl set -p unmap=/tmp/unmap_script smb sharectl set -p disposition=terminate smb For example, sharectl set -p map="/tmp/map_script %U" smb would be invoked with arguments of the form: arg0 = /tmp/map_script arg1 = <Windows username> arg2 = NULL 6. Resources and Schedule 6.4. Steering Committee requested information 6.4.1. Consolidation C-team Name: ON 6.5. ARC review type: FastTrack 6.6. ARC Exposure: open