Template Version: @(#)sac_nextcase 1.68 02/23/09 SMI
This information is Copyright 2009 Sun Microsystems
1. Introduction
1.1. Project/Component Working Name:
Improving the use and debugging of the basic privilege set.
1.2. Name of Document Author/Supplier:
Author: Casper Dik
1.3 Date of This Document:
22 December, 2009
4. Technical Description
I'm sponsoring this fasttrack for myself.
Improving the use and debugging of the basic privilege set.
The set of basic privileges was defined as set of privileges generally
assumed available to ordinary users. It was designed such that the basic
set could grow by defining privileges for certain previously unprivileged
operations while still being able to portably manipulate privilege sets.
A properly written application should initialize a privilege set with
the basic set, then add additional privileges and remove unneeded basic
privileges.
When adding new basic privileges, it has become clear that not all
programs handle the basic privileges correctly, e.g., by setting E or P
to the empty set.
In order to catch such problems early, is adding additional functionality
to the kernel to debug privilege set operations.
The new debugging functionality is implement as follows:
The priv_debug kernel variable is initialized to 1 on
DEBUG kernels.
When priv_debug is non zero when the system boots,
a new privilege is allocated and it is added to the basic set.
The new privilege is called "basic_test".
When setppriv() is called and the E and/or P privilege sets are
modified, a message is logged when the "basic_test" privilege
is removed from E/P. We allow setting I and L to the empty set
only as a failsafe for applications which should not call exec().
When exec*() is called and I does not include the "basic_test"
privilege, a message is logged.
A properly written application will never remove the unknown "basic_test"
privilege from E or P.
An example of these messages is:
WARNING: in.tftpd[105699]: setppriv: basic_test privilege removed from E/P
and this programming error in in.tftpd later caused the following fatal error:
NOTICE: in.tftpd[105699]: missing privilege "net_access" (euid = 60001, syscall
= 230) for "devpolicy" needed at solookup+0x270
tftpd[105699]: socket (main): Permission denied
And we also provide an additional API: priv_basicset(): fills the
argument with the basic set.
--- priv_addset.3 Mon Dec 21 12:08:24 2009
+++ priv_addset.3.new Mon Dec 21 12:10:00 2009
@@ -20,6 +20,8 @@
void priv_emptyset(priv_set_t *sp);
+ void priv_basicset(priv_set_t *sp);
+
void priv_fillset(priv_set_t *sp);
void priv_freeset(priv_set_t *sp);
@@ -58,6 +60,8 @@
The priv_emptyset() function clears all privileges from sp.
+ The priv_basicset() function copies the basic privilege set to sp.
+
The priv_fillset() function asserts all privileges in sp, includ-
ing the privileges not currently defined in the system.
Requested binding: micro/patch
6. Resources and Schedule
6.4. Steering Committee requested information
6.4.1. Consolidation C-team Name:
osnet
6.5. ARC review type: FastTrack
6.6. ARC Exposure: open
