James Carlson wrote:
> David Powell writes:
>> James Carlson wrote:
>> > This is at least a theoretical DoS threat. It's also a privilege
>> > escalation, in that a non-privileged user is able to perform an
action
>> > ("svcadm restart") for which he has no privileges.
>> >
>> > Avoiding that completely would require having contracts (like Least
>> > Privilege behavior) become opt-in rather than opt-out. (Yes, I know
>> > that's not a good answer.)
>>
>> No, it simply requires you to write your service description
>> correctly.
>
> As we've seen, that's far easier to say than to do. The contract
> inheritance and its implications are not well-understood by the folks
> maintaining all code that runs on Solaris.
You don't need to understand contracts to tell SMF that it should
ignore signals from other services and core files for a service. I
haven't seen much misunderstanding that all processes started by a
service are tracked by that service.
Unless you want finer-grained control over error handling than the
service abstraction allows, and are therefore actively creating
contracts yourself, "contract inheritance and its implications" are
just implementation details of how services are maintained.
> For a random example, see the exec(2) man page. The only thing it
> says about contracts is this:
>
> All active contract templates are cleared (see contract(4)).
>
> Ironically, the very next section of text starts with this header:
>
> The new process also inherits the following attributes from
> the calling process:
>
> ... but guess what it fails to mention.
Please file a bug.
Dave
