I'm moving this discussion over to security-discuss where it is more appropriate now since it is about privileges.
Paul B. Henson wrote: > On Tue, 23 Sep 2008, Darren J Moffat wrote: > >> Run the "service" with the file_chown privilege. See privileges(5), >> rbac(5) and if it runs as an SMF service smf_method(5). > > Thanks for the pointer. After reviewing this documentation, it seems that > file_chown_self is the best privilege to delegate, as the service account > only needs to give away the filesystems it has created to the appropriate > owner, it should never need to arbitrarily chown other things. > > I'm actually running a separate instance of Apache/mod_perl which exposes > my ZFS management API as a web service to our central identity management > server. So it does run under SMF, but I'm having trouble getting the > privilege delegation to the way I need it to be. > > The method_credential option in the manifest only seems to apply to the > initial start of the service. Apache needs to start as root, and then gives > up the privileges when it spawns children. I can't have SMF control the > privileges of the initial parent Apache process or it won't start. > > Started with full privileges, the parent process looks like: > > E: all > I: basic > P: all > L: all > > And the children: > > flags = <none> > E: basic > I: basic > P: basic > L: all > > I manually ran 'ppriv -s I+file_chown_self' on the parent Apache process, > which resulted in: > > flags = <none> > E: all > I: basic,file_chown_self > P: all > L: all > > And the children: > > flags = <none> > E: basic,file_chown_self > I: basic,file_chown_self > P: basic,file_chown_self > L: all > > > Which worked perfectly. Is there any syntax available for the SMF manifest > that would allow starting the original process with all privileges, but > configure the inheritable privileges to include the additional > file_chown_self? > > If not, the only other option I can think of offhand is to put together a > small Apache module that runs during server initialization and changes the > inheritable permissions before the children are spawned. > > Thanks... > > -- Darren J Moffat
