On Wed, 1 Oct 2008, Darren J Moffat wrote:
> I'm moving this discussion over to security-discuss where it is more
> appropriate now since it is about privileges.
I haven't seen any more on this thread. As I mentioned, I'm using modperl,
so for now I simply added in a PerlPostConfigRequire configuration
directive that runs a script containing
`/usr/bin/ppriv -s I+file_chown_self $$`
during server initialization, which is a little kludgy but seems to get the
job done.
If you happen to find out if there is a way to do this within the SMF
manifest itself I'd appreciate a heads up...
Thanks much...
> Paul B. Henson wrote:
> > On Tue, 23 Sep 2008, Darren J Moffat wrote:
> >
> >> Run the "service" with the file_chown privilege. See privileges(5),
> >> rbac(5) and if it runs as an SMF service smf_method(5).
> >
> > Thanks for the pointer. After reviewing this documentation, it seems that
> > file_chown_self is the best privilege to delegate, as the service account
> > only needs to give away the filesystems it has created to the appropriate
> > owner, it should never need to arbitrarily chown other things.
> >
> > I'm actually running a separate instance of Apache/mod_perl which exposes
> > my ZFS management API as a web service to our central identity management
> > server. So it does run under SMF, but I'm having trouble getting the
> > privilege delegation to the way I need it to be.
> >
> > The method_credential option in the manifest only seems to apply to the
> > initial start of the service. Apache needs to start as root, and then gives
> > up the privileges when it spawns children. I can't have SMF control the
> > privileges of the initial parent Apache process or it won't start.
> >
> > Started with full privileges, the parent process looks like:
> >
> > E: all
> > I: basic
> > P: all
> > L: all
> >
> > And the children:
> >
> > flags = <none>
> > E: basic
> > I: basic
> > P: basic
> > L: all
> >
> > I manually ran 'ppriv -s I+file_chown_self' on the parent Apache process,
> > which resulted in:
> >
> > flags = <none>
> > E: all
> > I: basic,file_chown_self
> > P: all
> > L: all
> >
> > And the children:
> >
> > flags = <none>
> > E: basic,file_chown_self
> > I: basic,file_chown_self
> > P: basic,file_chown_self
> > L: all
> >
> >
> > Which worked perfectly. Is there any syntax available for the SMF manifest
> > that would allow starting the original process with all privileges, but
> > configure the inheritable privileges to include the additional
> > file_chown_self?
> >
> > If not, the only other option I can think of offhand is to put together a
> > small Apache module that runs during server initialization and changes the
> > inheritable permissions before the children are spawned.
> >
> > Thanks...
> >
> >
>
>
>
--
Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst | henson at csupomona.edu
California State Polytechnic University | Pomona CA 91768
