Hi Gary, Thanks for looking at this - comments inline...
Gary Winiger wrote: >> Rob's sent me updated materials which reflect the clarifications due >> to the conversation here around privileges and the removal of >> config/debug from the manpages. >> >> I've put them in the case directory. > >> 4.11. Security Impact: >> During daemon initialization, the smtp-notify daemon will reduce its >> privileges to the following minimal set: >> >> afsr# ppriv 104651 >> 104651: /usr/lib/fm/notify/smtp-notify >> flags = PRIV_AWARE >> E: basic,proc_setid >> I: basic,proc_setid >> P: basic,proc_setid >> L: basic,proc_setid > > The updated materials don't state what uid(s)/gid(s) the service runs > with. If it starts with uid/gid 0 and changes it's uid/gid, what is > the new uid? > Note: proc_setid Allow a process to set its UIDs at will, assuming > UID 0 requires all privileges to be asserted. > Can this privilege reduction be done with a method context instead > of by the daemon? If so, why isn't that the choice. If not, > why not? The daemon needs to start as uid/gid 0, because it needs to create/bind a sysevent channel during initialization. Afterward doing this, it reduces it's privilege set to the minimal set noted above and changes its uid/gid to user noaccess (60002). > Nit, I suspect there's a case dependency on PSARC/2009/617 Yes - correct. thanks, rob
