Партнёры:
Хостинг:
privileges - process privilege model
Solaris software implements a set of privileges that provide fine-grained control over the actions of processes. The possession of a certain privilege allows a process to perform a specific set of restricted operations.
The change to a primarily privilege-based security model in the Solaris operating system gives developers an opportunity to restrict processes to those privileged operations actually needed instead of all (super-user) or no privileges (non-zero UIDs). Additionally, a set of previously unrestricted operations now requires a privilege; these privileges are dubbed the "basic" privileges and are by default given to all processes.
Taken together, all defined privileges with the exception of the "basic" privileges compose the set of privileges that are traditionally associated with the root user. The "basic" privileges are "privileges" unprivileged processes were accustomed to having.
The defined privileges are:
PRIV_CONTRACT_EVENT
Allow a process to include events in the critical event set term of a template which could be generated in volume by the user.
PRIV_CONTRACT_IDENTITY
PRIV_CONTRACT_OBSERVER
Allow a process to open contract event endpoints belonging to contracts created and owned by users other than the process's effective user ID.
PRIV_CPC_CPU
PRIV_DTRACE_KERNEL
PRIV_DTRACE_PROC
PRIV_DTRACE_USER
PRIV_FILE_CHOWN
PRIV_FILE_CHOWN_SELF
PRIV_FILE_DAC_EXECUTE
PRIV_FILE_DAC_READ
PRIV_FILE_DAC_SEARCH
PRIV_FILE_DAC_WRITE
PRIV_FILE_DOWNGRADE_SL
This privilege is interpreted only if the system is configured with Trusted Extensions.
PRIV_FILE_LINK_ANY
PRIV_FILE_OWNER
PRIV_FILE_SETID
PRIV_FILE_UPGRADE_SL
This privilege is interpreted only if the system is configured with Trusted Extensions.
PRIV_FILE_FLAG_SET
PRIV_GRAPHICS_ACCESS
PRIV_GRAPHICS_MAP
PRIV_IPC_DAC_READ
PRIV_IPC_DAC_WRITE
PRIV_IPC_OWNER
PRIV_NET_BINDMLP
This privilege is interpreted only if the system is configured with Trusted Extensions.
PRIV_NET_ICMPACCESS
PRIV_NET_MAC_AWARE
This privilege is interpreted only if the system is configured with Trusted Extensions.
PRIV_NET_OBSERVABILITY
PRIV_NET_PRIVADDR
PRIV_NET_RAWACCESS
PRIV_PROC_AUDIT
PRIV_PROC_CHROOT
PRIV_PROC_CLOCK_HIGHRES
PRIV_PROC_EXEC
PRIV_PROC_FORK
PRIV_PROC_INFO
PRIV_PROC_LOCK_MEMORY
PRIV_PROC_OWNER
PRIV_PROC_PRIOCNTL
PRIV_PROC_SESSION
PRIV_PROC_SETID
PRIV_PROC_TASKID
PRIV_PROC_ZONE
PRIV_SYS_ACCT
PRIV_SYS_ADMIN
PRIV_SYS_AUDIT
PRIV_SYS_CONFIG
PRIV_SYS_DEVICES
PRIV_SYS_DL_CONFIG
PRIV_SYS_IP_CONFIG
PRIV_SYS_IPC_CONFIG
PRIV_SYS_LINKDIR
PRIV_SYS_MOUNT
PRIV_SYS_NET_CONFIG
PRIV_SYS_NFS
PRIV_SYS_RES_CONFIG
PRIV_SYS_RESOURCE
PRIV_SYS_SMB
PRIV_SYS_SUSER_COMPAT
PRIV_SYS_TIME
PRIV_SYS_TRANS_LABEL
This privilege is interpreted only if the system is configured with Trusted Extensions.
PRIV_VIRT_MANAGE
PRIV_WIN_COLORMAP
Allow a process to install or remove colormaps.
Allow a process to retrieve colormap cell entries allocated by other processes.
This privilege is interpreted only if the system is configured with Trusted Extensions.
PRIV_WIN_CONFIG
Allow a process to use SetScreenSaver to set the screen saver timeout value
Allow a process to use ChangeHosts to modify the display access control list.
Allow a process to use GrabServer.
Allow a process to use the SetCloseDownMode request that can retain window, pixmap, colormap, property, cursor, font, or graphic context resources.
This privilege is interpreted only if the system is configured with Trusted Extensions.
PRIV_WIN_DAC_READ
This privilege is interpreted only if the system is configured with Trusted Extensions.
PRIV_WIN_DAC_WRITE
This privilege is interpreted only if the system is configured with Trusted Extensions.
PRIV_WIN_DEVICES
Allow a process to get and set keyboard and pointer controls.
Allow a process to modify pointer button and key mappings.
This privilege is interpreted only if the system is configured with Trusted Extensions.
PRIV_WIN_DGA
This privilege is interpreted only if the system is configured with Trusted Extensions.
PRIV_WIN_DOWNGRADE_SL
This privilege is interpreted only if the system is configured with Trusted Extensions.
PRIV_WIN_FONTPATH
This privilege is interpreted only if the system is configured with Trusted Extensions.
PRIV_WIN_MAC_READ
This privilege is interpreted only if the system is configured with Trusted Extensions.
PRIV_WIN_MAC_WRITE
This privilege is interpreted only if the system is configured with Trusted Extensions.
PRIV_WIN_SELECTION
This privilege is interpreted only if the system is configured with Trusted Extensions.
PRIV_WIN_UPGRADE_SL
This privilege is interpreted only if the system is configured with Trusted Extensions.
PRIV_XVM_CONTROL
Of the privileges listed above, the privileges PRIV_FILE_LINK_ANY, PRIV_PROC_INFO, PRIV_PROC_SESSION, PRIV_PROC_FORK and PRIV_PROC_EXEC are considered "basic" privileges. These are privileges that used to be always available to unprivileged processes. By default, processes still have the basic privileges.
The privileges PRIV_PROC_SETID and PRIV_PROC_AUDIT must be present in the Limit set (see below) of a process in order for set-uid root execs to be successful, that is, get an effective UID of 0 and additional privileges.
The privilege implementation in Solaris extends the process credential with four privilege sets:
I, the inheritable set
P, the permitted set
E, the effective set
L, the limit set
The sets I, P and E are typically identical to the basic set of privileges for unprivileged processes. The limit set is typically the full set of privileges.
Each process has a Privilege Awareness State (PAS) that can take the value PA (privilege-aware) and NPA (not-PA). PAS is a transitional mechanism that allows a choice between full compatibility with the old superuser model and completely ignoring the effective UID.
To facilitate the discussion, we introduce the notion of "observed effective set" (oE) and "observed permitted set" (oP) and the implementation sets iE and iP.
A process becomes privilege-aware either by manipulating the effective, permitted, or limit privilege sets through setppriv(2) or by using setpflags(2). In all cases, oE and oP are invariant in the process of becoming privilege-aware. In the process of becoming privilege-aware, the following assignments take place:
iE = oE iP = oP
When a process is privilege-aware, oE and oP are invariant under UID changes. When a process is not privilege-aware, oE and oP are observed as follows:
oE = euid == 0 ? L : iE oP = (euid == 0 || ruid == 0 || suid == 0) ? L : iP
When a non-privilege-aware process has an effective UID of 0, it can exercise the privileges contained in its limit set, the upper bound of its privileges. If a non-privilege-aware process has any of the UIDs 0, it will appear to be capable of potentially exercising all privileges in L.
It is possible for a process to return to the non-privilege aware state using setpflags(). The kernel will always attempt this on exec(2). This operation is permitted only if the following conditions are met:
When a process gives up privilege awareness, the following assignments take place:
if (euid == 0) iE = L & I if (any uid == 0) iP = L & I
The privileges obtained when not having a UID of 0 are the inheritable set of the process restricted by the limit set.
Only privileges in the process's (observed) effective privilege set allow the process to perform restricted operations. A process can use any of the privilege manipulation functions to add or remove privileges from the privilege sets. Privileges can be removed always. Only privileges found in the permitted set can be added to the effective and inheritable set. The limit set cannot grow. The inheritable set can be larger than the permitted set.
When a process performs an exec(2), the kernel will first try to relinquish privilege awareness before making the following privilege set modifications:
E' = P' = I' = L & I L is unchanged
If a process has not manipulated its privileges, the privilege sets effectively remain the same, as E, P and I are already identical.
The limit set is enforced at exec time.
To run a non-privilege-aware application in a backward-compatible manner, a privilege-aware application should start the non-privilege-aware application with I=basic.
For most privileges, absence of the privilege simply results in a failure. In some instances, the absense of a privilege can cause system calls to behave differently. In other instances, the removal of a privilege can force a set-uid application to seriously malfunction. Privileges of this type are considered "unsafe". When a process is lacking any of the unsafe privileges from its limit set, the system will not honor the set-uid bit of set-uid root applications. The following unsafe privileges have been identified: proc_setid, sys_resource and proc_audit.
In certain circumstances, a single privilege could lead to a process gaining one or more additional privileges that were not explicitly granted to that process. To prevent such an escalation of privileges, the security policy will require explicit permission for those additional privileges.
Common examples of escalation are those mechanisms that allow modification of system resources through "raw'' interfaces; for example, changing kernel data structures through /dev/kmem or changing files through /dev/dsk/*. Escalation also occurs when a process controls processes with more privileges than the controlling process. A special case of this is manipulating or creating objects owned by UID 0 or trying to obtain UID 0 using setuid(2). The special treatment of UID 0 is needed because the UID 0 owns all system configuration files and ordinary file protection mechanisms allow processes with UID 0 to modify the system configuration. With appropriate file modifications, a given process running with an effective UID of 0 can gain all privileges.
In situations where a process might obtain UID 0, the security policy requires additional privileges, up to the full set of privileges. Such restrictions could be relaxed or removed at such time as additional mechanisms for protection of system files became available. There are no such mechanisms in the current Solaris release.
The use of UID 0 processes should be limited as much as possible. They should be replaced with programs running under a different UID but with exactly the privileges they need.
Daemons that never need to exec subprocesses should remove the PRIV_PROC_EXEC privilege from their permitted and limit sets.
When privileges are assigned to a user, the system administrator could give that user more powers than intended. The administrator should consider whether safeguards are needed. For example, if the PRIV_PROC_LOCK_MEMORY privilege is given to a user, the administrator should consider setting the project.max-locked-memory resource control as well, to prevent that user from locking all memory.
When a system call fails with a permission error, it is not always immediately obvious what caused the problem. To debug such a problem, you can use a tool called privilege debugging. When privilege debugging is enabled for a process, the kernel reports missing privileges on the controlling terminal of the process. (Enable debugging for a process with the -D option of ppriv(1).) Additionally, the administrator can enable system-wide privilege debugging by setting the system(4) variable priv_debug using:
set priv_debug = 1
On a running system, you can use mdb(1) to change this variable.
The Solaris Management Console (see smc(1M)) is the preferred method of modifying privileges for a command. Use usermod(1M) or smrole(1M) to assign privileges to or modify privileges for, respectively, a user or a role. Use ppriv(1) to enumerate the privileges supported on a system and truss(1) to determine which privileges a program requires.
mdb(1), ppriv(1), add_drv(1M), ifconfig(1M), lockd(1M), nfsd(1M), rem_drv(1M), smbd(1M), update_drv(1M), Intro(2), access(2), acct(2), acl(2), adjtime(2), audit(2), auditon(2), chmod(2), chown(2), chroot(2), creat(2), exec(2), fcntl(2), fork(2), fpathconf(2), getacct(2), getpflags(2), getppriv(2), getsid(2), kill(2), link(2), memcntl(2), mknod(2), mount(2), msgctl(2), nice(2), ntp_adjtime(2), open(2), p_online(2), priocntl(2), priocntlset(2), processor_bind(2), pset_bind(2), pset_create(2), readlink(2), resolvepath(2), rmdir(2), semctl(2), setauid(2), setegid(2), seteuid(2), setgid(2), setgroups(2), setpflags(2), setppriv(2), setrctl(2), setregid(2), setreuid(2), setrlimit(2), settaskid(2), setuid(2), shmctl(2), shmget(2), shmop(2), sigsend(2), stat(2), statvfs(2), stime(2), swapctl(2), sysinfo(2), uadmin(2), ulimit(2), umount(2), unlink(2), utime(2), utimes(2), bind(3SOCKET), door_ucred(3C), priv_addset(3C), priv_set(3C), priv_getbyname(3C), priv_getbynum(3C), priv_set_to_str(3C), priv_str_to_set(3C), socket(3SOCKET), t_bind(3NSL), timer_create(3C), ucred_get(3C), exec_attr(4), proc(4), system(4), user_attr(4), xVM(5), ddi_cred(9F), drv_priv(9F), priv_getbyname(9F), priv_policy(9F), priv_policy_choice(9F), priv_policy_only(9F)
System Administration Guide: Security Services
|
Закладки на сайте Проследить за страницей |
Created 1996-2024 by Maxim Chirkov Добавить, Поддержать, Вебмастеру |