Alan Coopersmith wrote:
John Sonnenschein wrote:
Is there a particular reason we require the Primary Administrator
profile to be in effect in order to run pkg(5) ?
You don't actually require Primary Administrator what you require is the
ability to create all the files that pkg lays down with the appropriate
ownership and permissions as well as (in an image-update) do the ZFS
operations for creating boot environments.
Short-term adding a line like "Software
Installation:solaris:cmd:::/usr/bin/pkg:euid=0" to
/etc/security/exec_attr would allow a sysadmin to grant Software
Installation to a junior admin without requiring full privs.
Is there any real difference? Once you can install software,
you can install a package that has a setuid-root copy of /bin/sh
and get the same privileges.
The difference is one of intent. The implementation of the "Software
Installation" profile is to run pkg with euid=0 but that could change in
the future. Compare this with using the ancient and so trivially broken
/usr/bin/crypt the intent is to obscure so if someone "cracks" the file
you know they did so intentionally not by accident.
The audit trail is also different so you have a different set of events
to look at if it is abused.
While yes you can deliver a setuid-root copy of /bin/sh and get full
privileges the fact you did so would be audited in a different way to if
you just did "pfexec chmod +s /bin/sh" when given access to "Primary
Administrator"
--
Darren J Moffat
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
