You're the man! Page 6 on the "Limiting Services Privileges in Solaris 10 - May 2005, has the following recommendation.
svc:/network/http:apache2> setprop start/privileges = astring: basic,!proc_session,!proc_info,!file_link_any,net_privaddr To get this to work with apache2 on TX (zone), I added the net_bindmlp priv and it worked. Thanks! When securing the apache2 configuration from the On Feb 27, 2007, at 7:59 PM, Jarrett Lu wrote: > Bob, > > Your MLP declaration for pub-tx01 looks OK. A few things to try/ > check: > > 1. does the svc program has net_bindmlp priv in its limit set? > 2. In pub-tx01 zone, 'ifconfig -a' shows there is an all-zones > interface it can use. > 3. The socket() call didn't fail. > 4. svc is binding to the right IP addr > 5. no other process already bound with port 80. > > Jarrett > > > Robert Bailey wrote: > >> I'm looking at the potential for having a TX zone serving web >> pages, thus hopefully restricting it's badness potential. I've >> set the privileges within svc to specs produced by sun (minus the >> shared storage - TX doesn't like that) >> Anyway's the problem I am having is binding to port 80 within the >> public facing local zone. >> >> My global is configured to share the interface (bold is the zone >> I'm focussing on): >> >> lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> >> mtu 8232 index 1 >> inet 127.0.0.1 netmask ff000000 >> lo0:1: >> flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu >> 8232 index 1 >> zone restricted-tx01 >> inet 127.0.0.1 netmask ff000000 >> *lo0:2: >> flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu >> 8232 index 1* >> * zone pub-tx01* >> * inet 127.0.0.1 netmask ff000000 * >> *bge0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 >> index 2* >> * all-zones* >> * inet 192.168.15.78 netmask ffffff00 broadcast >> 192.168.15.255* >> * ether 0:14:4f:6e:ce:3a * >> >> My tnzonecfg is as follows - note that I'm still a bit confused if >> the port 80 should be in the global definition for shared ports: >> >> global:ADMIN_LOW:1:111/tcp;111/udp;515/tcp;631/tcp;2049/tcp; >> 6000-6003/tcp:6000-6003/tcp >> *pub-tx01:0x0002-08-08:0::80/tcp* >> restricted-tx01:0x000a-08-08:0:: >> >> And the ServerName is defined as *192.168.15.79* >> >> I even set the webservd in /etc/user_attr to def_label=PUB to no >> evail. >> >> Here's the error I keep getting... >> >> (13)Permission denied: make_sock: could not bind to address [::]:80 >> no listening sockets available, shutting down >> Unable to open logs >> >> >> Any thoughts folks? >> >> Thanks >> Bob >> >> --------------------------------------------------------------------- >> --- >> >> _______________________________________________ >> security-discuss mailing list >> security-discuss at opensolaris.org >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.opensolaris.org/pipermail/security-discuss/attachments/20070228/ecfef5c7/attachment.html>
