Re: [zfs-discuss] zfs allow interaction with file system privileges

Tue, 30 Sep 2008 11:47:58 -0700 

On Tue, 23 Sep 2008, Darren J Moffat wrote:

> Run the "service" with the file_chown privilege.  See privileges(5),
> rbac(5) and if it runs as an SMF service smf_method(5).

Thanks for the pointer. After reviewing this documentation, it seems that
file_chown_self is the best privilege to delegate, as the service account
only needs to give away the filesystems it has created to the appropriate
owner, it should never need to arbitrarily chown other things.

I'm actually running a separate instance of Apache/mod_perl which exposes
my ZFS management API as a web service to our central identity management
server. So it does run under SMF, but I'm having trouble getting the
privilege delegation to the way I need it to be.

The method_credential option in the manifest only seems to apply to the
initial start of the service. Apache needs to start as root, and then gives
up the privileges when it spawns children. I can't have SMF control the
privileges of the initial parent Apache process or it won't start.

Started with full privileges, the parent process looks like:

        E: all
        I: basic
        P: all
        L: all

And the children:

flags = <none>
        E: basic
        I: basic
        P: basic
        L: all

I manually ran 'ppriv -s I+file_chown_self' on the parent Apache process,
which resulted in:

flags = <none>
        E: all
        I: basic,file_chown_self
        P: all
        L: all

And the children:

flags = <none>
        E: basic,file_chown_self
        I: basic,file_chown_self
        P: basic,file_chown_self
        L: all


Which worked perfectly. Is there any syntax available for the SMF manifest
that would allow starting the original process with all privileges, but
configure the inheritable privileges to include the additional
file_chown_self?

If not, the only other option I can think of offhand is to put together a
small Apache module that runs during server initialization and changes the
inheritable permissions before the children are spawned.

Thanks...


-- 
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  [EMAIL PROTECTED]
California State Polytechnic University  |  Pomona CA 91768
_______________________________________________
zfs-discuss mailing list
zfs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/zfs-discuss

Reply via email to