James Carlson wrote:
> Contracts are not (as far as I know) dissolved across a setuid/
> seteuid and related credential change. The implication of this is
> that your typical "do something for some user" service daemon -- one
> designed for plain old UNIX and not Solaris contracts -- will do all
> of the usual security checks on $HOME/blah before invoking it
> carefully with the right credentials, but it will inevitably end up
> handing over some dangerous keys to that subprocess, in the form of
> that invisible contract.
>
> In particular, if the user arranges to have his own invoked script
> trigger a process outside of the contract to send him a fatal signal,
> the original daemon will be taken out as a result. "pkill -QUIT blah"
> ought to do the trick.
Again, that's why sendmail ignores signals. And why the ability to
ignore signals and core files is provided.
> This is at least a theoretical DoS threat. It's also a privilege
> escalation, in that a non-privileged user is able to perform an action
> ("svcadm restart") for which he has no privileges.
>
> Avoiding that completely would require having contracts (like Least
> Privilege behavior) become opt-in rather than opt-out. (Yes, I know
> that's not a good answer.)
No, it simply requires you to write your service description
correctly.
Dave
