Re: (mis)using RBAC...

From: Glenn M. Brunette, Jr. (Glenn.Brunette_at_Sun.COM)
Date: 04/15/05


Date: Fri, 15 Apr 2005 11:51:12 -0400
To: benjamin brumaire <benjamin@brumaire.biz>


Benjamin,

benjamin brumaire wrote:
>
> On Solaris10 you should try to give the http daemon the privilege to
> open privileged port "PRIV_NET_PRIVADDR" so it doens't need to be start
> as root :)

This is exactly the focus of the article to be published next month.
There are a few things you need to do besides just changing the UID
and privilege sets for this to work which is why I wrote it up as
a Sun BluePrints Cookbook. In addition, you can also remove some
of the default (basic) privileges from the service since Apache will
not need them. As a teaser, what you will be left with is something
like:

# svcprop -v -p start apache2
start/exec astring /lib/svc/method/http-apache2\ start
start/timeout_seconds count 60
start/type astring method
start/user astring webservd
start/group astring webservd
start/privileges astring
basic,!proc_session,!proc_info,!file_link_any,net_privaddr
start/limit_privileges astring :default
start/use_profile boolean false
start/supp_groups astring :default
start/working_directory astring :default
start/project astring :default
start/resource_pool astring :default

I will make a note on my blog when the new article is published.

Take care,
g

-- 
Glenn M. Brunette, Jr.
Distinguished Engineer, Chief Security Architect
Client Solutions, Global Data Center Practice CTO
Sun Microsystems, Inc.