Mark Shellenbaum wrote:
I thought that privileges only granted additional access that would
otherwise be denied by a file's permission bits/ACL. This sounds like
you want the presence of certain privileges to override permission bits?
There are two types of privileges in Solaris 10 onwards, this is
different to anything Trusted Solaris did before and different to the
(never ratified and defunct) POSIX capabilities that Linux has.
The normal privileges empower, ie they allow override where you wouldn't
normally be allowed to do something.
There is also the concept of "basic" privileges, these are things that
users and normally do. Currently that set is: proc_fork, proc_exec,
proc_session, proc_info, file_link_any.
If you look at nfsd you will see that it has the basic privileges
removed from it. This is further protection against exploitation due to
bugs.
Johannes project is to expand the basic priv set.
A couple of examples where these file basic privileges could be used are:
Anything running as daemon - daemon doesn't own files and shouldn't
generally. So if there are files owned by daemon they might not be ones
belonging to that process.
ssh(1) and ssh-agent(1) after there initial startup. For ssh-agent(1)
it should ONLY communicate over the UNIX domain socket; dropping the new
file basic privs that Johannes is proposing provides protection to
ensure that ssh-agent can't be a conduit to steal user data. For ssh(1)
it is slightly less obvious but it is possible that a bad peer SSH
server could exploit the client. If ssh(1) drops basic file privs after
it reads all the config it is a good layer of protection.
--
Darren J Moffat
_______________________________________________
zfs-discuss mailing list
zfs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
