Looks like a good idea. I'm inclined to +1 it, but I'd prefer to let
Darren or Gary (who are both more familiar with the privilege model than
I am) do so instead.
- Garrett
Casper Dik wrote:
> Template Version: @(#)sac_nextcase 1.68 02/23/09 SMI
> This information is Copyright 2009 Sun Microsystems
> 1. Introduction
> 1.1. Project/Component Working Name:
> Improving the use and debugging of the basic privilege set.
> 1.2. Name of Document Author/Supplier:
> Author: Casper Dik
> 1.3 Date of This Document:
> 22 December, 2009
> 4. Technical Description
> I'm sponsoring this fasttrack for myself.
>
> Improving the use and debugging of the basic privilege set.
>
> The set of basic privileges was defined as set of privileges generally
> assumed available to ordinary users. It was designed such that the basic
> set could grow by defining privileges for certain previously unprivileged
> operations while still being able to portably manipulate privilege sets.
>
> A properly written application should initialize a privilege set with
> the basic set, then add additional privileges and remove unneeded basic
> privileges.
>
> When adding new basic privileges, it has become clear that not all
> programs handle the basic privileges correctly, e.g., by setting E or P
> to the empty set.
>
> In order to catch such problems early, is adding additional functionality
> to the kernel to debug privilege set operations.
>
> The new debugging functionality is implement as follows:
>
> The priv_debug kernel variable is initialized to 1 on
> DEBUG kernels.
>
> When priv_debug is non zero when the system boots,
> a new privilege is allocated and it is added to the basic set.
> The new privilege is called "basic_test".
>
> When setppriv() is called and the E and/or P privilege sets are
> modified, a message is logged when the "basic_test" privilege
> is removed from E/P. We allow setting I and L to the empty set
> only as a failsafe for applications which should not call exec().
>
> When exec*() is called and I does not include the "basic_test"
> privilege, a message is logged.
>
> A properly written application will never remove the unknown "basic_test"
> privilege from E or P.
>
> An example of these messages is:
>
> WARNING: in.tftpd[105699]: setppriv: basic_test privilege removed from E/P
>
> and this programming error in in.tftpd later caused the following fatal error:
>
> NOTICE: in.tftpd[105699]: missing privilege "net_access" (euid = 60001,
> syscall = 230) for "devpolicy" needed at solookup+0x270
> tftpd[105699]: socket (main): Permission denied
>
> And we also provide an additional API: priv_basicset(): fills the
> argument with the basic set.
>
> --- priv_addset.3 Mon Dec 21 12:08:24 2009
> +++ priv_addset.3.new Mon Dec 21 12:10:00 2009
> @@ -20,6 +20,8 @@
>
> void priv_emptyset(priv_set_t *sp);
>
> + void priv_basicset(priv_set_t *sp);
> +
> void priv_fillset(priv_set_t *sp);
>
> void priv_freeset(priv_set_t *sp);
> @@ -58,6 +60,8 @@
>
> The priv_emptyset() function clears all privileges from sp.
>
> + The priv_basicset() function copies the basic privilege set to sp.
> +
> The priv_fillset() function asserts all privileges in sp, includ-
> ing the privileges not currently defined in the system.
>
>
> Requested binding: micro/patch
>
> 6. Resources and Schedule
> 6.4. Steering Committee requested information
> 6.4.1. Consolidation C-team Name:
> osnet
> 6.5. ARC review type: FastTrack
> 6.6. ARC Exposure: open
>
>
