Re: (mis)using RBAC...

From: Glenn M. Brunette, Jr. (Glenn.Brunette_at_Sun.COM)
Date: 04/15/05

Date: Fri, 15 Apr 2005 11:51:12 -0400
To: benjamin brumaire <>


benjamin brumaire wrote:
> On Solaris10 you should try to give the http daemon the privilege to
> open privileged port "PRIV_NET_PRIVADDR" so it doens't need to be start
> as root :)

This is exactly the focus of the article to be published next month.
There are a few things you need to do besides just changing the UID
and privilege sets for this to work which is why I wrote it up as
a Sun BluePrints Cookbook. In addition, you can also remove some
of the default (basic) privileges from the service since Apache will
not need them. As a teaser, what you will be left with is something

# svcprop -v -p start apache2
start/exec astring /lib/svc/method/http-apache2\ start
start/timeout_seconds count 60
start/type astring method
start/user astring webservd
start/group astring webservd
start/privileges astring
start/limit_privileges astring :default
start/use_profile boolean false
start/supp_groups astring :default
start/working_directory astring :default
start/project astring :default
start/resource_pool astring :default

I will make a note on my blog when the new article is published.

Take care,

Glenn M. Brunette, Jr.
Distinguished Engineer, Chief Security Architect
Client Solutions, Global Data Center Practice CTO
Sun Microsystems, Inc.