Skip to main content

Setting privileges to an user Solaris 10

Root, root, root, everybody always wants root.  Developers, application administrators, users, they all seem to find a reason to "need" root access.  Since normally these needs are for access to particular files or to perform very specific tasks, only a subset of root's access is actually needed.  File access should be trivial enough, just configure the appropriate permissions or FACLs.  For executable processes, traditionally 'sudo' or 'op' would come to mind.  In Solaris, however, we could instead use RBAC and privileges, which are natively available.
Our host details for this are:
 
        HOST:           snorkle
        PROMPT:         user@snorkle [0]
        OS:             Solaris 10 10/09
        USER:           johnc
        ROLE:           netrole
For a sample setup, we have user 'johnc' from group 'neteng' who is tasked
with managing the network interfaces and routes on a system.  He will need
access to 'ifconfig', 'route', 'dladm', 'snoop', and 'tcpdump'.  Since we
won't give him root access, let's see how he fares with each command
and what we can do to help.  Starting simple, 'johnc' uses 'ifconfig'
to check the available interfaces and attempt to bring "e1000g0" online:
        johnc@snorkle [0] /usr/sbin/ifconfig -a
        lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
                inet 127.0.0.1 netmask ff000000 
        e1000g1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
                inet 192.168.56.15 netmask ffffff00 broadcast 192.168.56.255
        johnc@snorkle [0] /usr/sbin/ifconfig e1000g0 plumb
        ifconfig: cannot open link "e1000g0": Permission denied
        johnc@snorkle [1] 
As expected, he can review what's already configured but gets "Permission
denied" for trying to online "e1000g0".  Being the diligent user he is,
'johnc' tries to online "e1000g0" again, but this time he uses 'ppriv'
(see note 1) to determine what's preventing him:
        johnc@snorkle [1] /bin/ppriv -eD /usr/sbin/ifconfig e1000g0 plumb
        ifconfig[514]: missing privilege "net_rawaccess" (euid = 1002, syscall = 5) for \
          "devpolicy" needed at spec_open+0xbf
        ifconfig[514]: missing privilege "net_rawaccess" (euid = 1002, syscall = 5) for \
          "devpolicy" needed at spec_open+0xbf
        ifconfig[514]: missing privilege "net_rawaccess" (euid = 1002, syscall = 5) for \
          "devpolicy" needed at spec_open+0xbf
        ifconfig: cannot open link "e1000g0": Permission denied
Alright, 'johnc' needs the "net_rawaccess" privilege to actually manage
interfaces.  So that he doesn't have to keep running back to us, 'johnc'
tries the rest of the commands:
        johnc@snorkle [1] /bin/ppriv -eD /usr/sbin/snoop -d e1000g1
        snoop[516]: missing privilege "net_rawaccess" (euid = 1002, syscall = 5) for \
          "devpolicy" needed at spec_open+0xbf
        snoop[516]: missing privilege "net_rawaccess" (euid = 1002, syscall = 5) for \
          "devpolicy" needed at spec_open+0xbf
        snoop[516]: missing privilege "net_rawaccess" (euid = 1002, syscall = 5) for \
          "devpolicy" needed at spec_open+0xbf
        snoop: cannot open "e1000g1": Permission denied
        johnc@snorkle [1] /bin/ppriv -eD /usr/local/sbin/tcpdump -i e1000g1
        tcpdump[874]: missing privilege "net_rawaccess" (euid = 1002, syscall = 225) for \
          "devpolicy" needed at spec_open+0xbf
        tcpdump: e1000g1: You don't have permission to capture on that device
        (/dev/e1000g: Permission denied)
        johnc@snorkle [0] /usr/sbin/dladm show-dev -p
        /usr/sbin/dladm: insufficient privileges
        johnc@snorkle [1] /bin/ppriv -eDv /usr/sbin/dladm show-dev -p
        /usr/sbin/dladm: insufficient privileges
        johnc@snorkle [1] /usr/sbin/route add -net 192.168.75.0/24 192.168.56.2
        add net 192.168.75.0/24: gateway 192.168.56.2: insufficient privileges
        johnc@snorkle [1] /bin/ppriv -eDv /usr/sbin/route add -net 192.168.75.0/24 192.168.56.2
        route[688]: missing privilege "sys_ip_config" (euid = 1002, syscall = 4) needed \
          at ip_rts_request+0x164
        add net 192.168.75.0/24: gateway 192.168.56.2: insufficient privileges
All of the above commands have failed due to missing privileges.
Aside from 'dladm', each command executed through 'ppriv' returned the
missing privileges.  As a final check, 'johnc' runs 'ppriv' against
his current terminal process to see what privileges he currently has
(see note 2):
        johnc@snorkle [0] /bin/ppriv $$
        501:    -ksh
        flags = <none>
                E: basic
                I: basic
                P: basic
                L: all
        johnc@snorkle [0]
Having returned to us with the above information, let's see what other
details we can dig up to help 'johnc'.  Since RBAC and privileges
are closely related, we can check for the commands 'johnc' needs in
RBAC's execution database 'exec_attr':
        root@snorkle [0] /bin/egrep 'ifconfig|snoop|tcpdump|dladm|route' /etc/security/exec_attr
        Network Management:solaris:cmd:::/sbin/dladm:privs=sys_net_config
        Network Management:solaris:cmd:::/sbin/ifconfig:uid=0
        Network Management:solaris:cmd:::/sbin/route:privs=sys_ip_config
        Network Management:solaris:cmd:::/sbin/routeadm:euid=0; privs=proc_chroot,\
          proc_owner,sys_ip_config
        Network Management:suser:cmd:::/usr/sbin/ifconfig:uid=0
        Network Management:suser:cmd:::/usr/sbin/route:uid=0
        Network Management:suser:cmd:::/usr/sbin/snoop:uid=0
Based on the format for 'exec_attr', all but 'tcpdump' are part of
the preconfigured "Network Management" RBAC profile.  We also see the
"sys_net_config" privilege for 'dladm' which we didn't previously know.
Reviewing 'exec_attr' for the "Network Management" profile, we see it
has 18 commands associated with it:
        root@snorkle [0] grep "Network Management:" /etc/security/exec_attr | grep ":cmd:"
        Network Management:solaris:cmd:::/sbin/dladm:privs=sys_net_config
        Network Management:solaris:cmd:::/sbin/ifconfig:uid=0
        Network Management:solaris:cmd:::/sbin/route:privs=sys_ip_config
        Network Management:solaris:cmd:::/sbin/routeadm:euid=0; privs=proc_chroot,proc_owner,\
          sys_ip_config
        Network Management:solaris:cmd:::/usr/sbin/quaggaadm:privs=basic
        Network Management:solaris:cmd:::/usr/sbin/zebraadm:privs=basic
        Network Management:suser:cmd:::/usr/bin/netstat:uid=0
        Network Management:suser:cmd:::/usr/bin/rup:euid=0
        Network Management:suser:cmd:::/usr/bin/ruptime:euid=0
        Network Management:suser:cmd:::/usr/bin/setuname:euid=0
        Network Management:suser:cmd:::/usr/sbin/asppp2pppd:euid=0
        Network Management:suser:cmd:::/usr/sbin/ifconfig:uid=0
        Network Management:suser:cmd:::/usr/sbin/ipaddrsel:euid=0
        Network Management:suser:cmd:::/usr/sbin/ipqosconf:euid=0
        Network Management:suser:cmd:::/usr/sbin/rndc:privs=file_dac_read
        Network Management:suser:cmd:::/usr/sbin/route:uid=0
        Network Management:suser:cmd:::/usr/sbin/snoop:uid=0
        Network Management:suser:cmd:::/usr/sbin/spray:euid=0
Since 'johnc' currently only needs access to 5 commands, we can create
a role for him and group 'neteng' to use.  The following creates a new
role, netrole, and sets a password to it (see note 3):
        root@snorkle [0] /usr/sbin/groupadd -g 10300 netrole
        root@snorkle [0] /usr/sbin/roleadd -u 10300 -g 10300 -c "Minimal Network Role" \
          -d /export/roles/netrole -m -s /bin/pfksh netrole
        64 blocks
        root@snorkle [0] /bin/passwd netrole 
        New Password: 
        Re-enter new Password:  
        passwd: password successfully changed for netrole
        root@snorkle [0]
    Of note, in Solaris 11 (Express) a role can be configured to allow
    a user to use their own login password to access the role:
                root@snorkle [0] /usr/sbin/rolemod -K roleauth=user netrole
Since we don't want this role associated with the default profile
(ALL), we add profile "NetRole" to 'prof_attr' and set 'netrole' with
the profile.  We also set the default privileges to be those identified
above (see note 4):
        root@snorkle [0] echo "NetRole:::profile managing NICs and routes:">> /etc/security/prof_attr
        root@snorkle [0] /usr/sbin/rolemod -P NetRole -K defaultpriv=basic,net_rawaccess,\
          sys_ip_config,sys_net_config netrole
After associating 'johnc' with role 'netrole' below via 'usermod', we
can see that our user's account hasn't been modified with a check of
'id' and review of '/etc/passwd':
        root@snorkle [0] /usr/sbin/usermod -R netrole johnc
        root@snorkle [0] /bin/id -a johnc
        uid=1002(johnc) gid=1002(neteng) groups=1002(neteng)
        root@snorkle [0] /bin/id -a netrole
        uid=10300(netrole) gid=10300(netrole) groups=10300(netrole)
        root@snorkle [0] /bin/egrep 'johnc|netrole' /etc/passwd
        johnc:x:1002:1002:John Chambers:/export/home/johnc:/bin/ksh
        netrole:x:10300:10300:Minimal Network Role:/export/roles/netrole:/bin/pfksh
        root@snorkle [0] /bin/egrep 'johnc|netrole' /etc/user_attr
        netrole::::type=role;profiles=NetRole;defaultpriv=basic,net_rawaccess,sys_ip_config,\
          sys_net_config
        johnc::::type=normal;roles=netrole
        root@snorkle [0] /bin/roles johnc
        netrole 
The association of 'johnc' to role 'netrole' is contained within
'/etc/user_attr' and verified with 'roles' above.  At this point, we've
given 'johnc' a subset of root's privileges allowing him to accomplish
only what he needs:
        johnc@snorkle [0] /usr/sbin/ifconfig e1000g0 plumb
        ifconfig: cannot open link "e1000g0": Permission denied
        johnc@snorkle [1] /sbin/su - netrole
        Password: 
        netrole@snorkle [0] /bin/ppriv $$
        945:    -pfksh
        flags = <none>
                E: basic,net_rawaccess,sys_ip_config,sys_net_config
                I: basic,net_rawaccess,sys_ip_config,sys_net_config
                P: basic,net_rawaccess,sys_ip_config,sys_net_config
                L: all
To illustrate how 'johnc' can use the new 'netrole', we have 'johnc'
try to online "e1000g0" again, only to fail.  We didn't give any extra
privileges to 'johnc', we gave them to 'netrole' which we can see above
after the 'su'.  In the following, we see that by using role 'netrole',
'johnc' now has the access and privileges he needs:
        netrole@snorkle [0] /usr/sbin/ifconfig e1000g0 plumb
        netrole@snorkle [0] /bin/grep snorkle /etc/hosts
        192.168.56.15   snorkle loghost
        10.0.23.191     snorkle-priv
        netrole@snorkle [0] /usr/sbin/ifconfig e1000g0 10.0.23.191 netmask 255.255.254.0 \
          broadcast + up
        netrole@snorkle [0] /usr/sbin/ifconfig -a
        lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
                inet 127.0.0.1 netmask ff000000
        e1000g0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
                inet 10.0.23.191 netmask fffffe00 broadcast 10.0.23.255
                ether 8:0:27:56:c2:d
        e1000g1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
                inet 192.168.56.15 netmask ffffff00 broadcast 192.168.56.255
                ether 8:0:27:cb:f8:20
        netrole@snorkle [0] /usr/sbin/snoop -d e1000g0
        Using device e1000g1 (promiscuous mode)
        10.0.23.181 -> snorkle-priv      ICMP Echo request (ID: 63848 Sequence number: 1)
             snorkle-priv -> 10.0.23.181 ICMP Echo reply (ID: 63848 Sequence number: 1)
        10.0.23.181 -> snorkle-priv      ICMP Echo request (ID: 63848 Sequence number: 2)
             snorkle-priv -> 10.0.23.181 ICMP Echo reply (ID: 63848 Sequence number: 2)
        <snip...>
        netrole@snorkle [0] /usr/local/sbin/tcpdump -i e1000g1
        tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
        listening on e1000g1, link-type EN10MB (Ethernet), capture size 65535 bytes
        18:37:10.382886 IP 10.0.23.181 > snorkle-priv: ICMP echo request, id 5993, seq 22, length 64
        18:37:10.382920 IP snorkle-priv > 10.0.23.181: ICMP echo reply, id 5993, seq 22, length 64
        18:37:11.383959 IP 10.0.23.181 > snorkle-priv: ICMP echo request, id 5993, seq 23, length 64
        18:37:11.383999 IP snorkle-priv > 10.0.23.181: ICMP echo reply, id 5993, seq 23, length 64
        <snip...>
        netrole@snorkle [0] /usr/sbin/dladm show-dev -p
        e1000g0 link=up speed=1000 duplex=full
        e1000g1 link=up speed=1000 duplex=full
        netrole@snorkle [0] /usr/sbin/route add -net 192.168.75.0/24 192.168.56.2
        add net 192.168.75.0/24: gateway 192.168.56.2
        netrole@snorkle [0] /bin/netstat -rn

        Routing Table: IPv4
          Destination           Gateway           Flags  Ref     Use     Interface
        -------------------- -------------------- ----- ----- ---------- ---------
        default              127.0.0.1            U         1          0 lo0
        10.0.22.0            10.0.23.191          U         1          0 e1000g0
        192.168.56.0         192.168.56.15        U         1          5 e1000g1
        192.168.75.0         192.168.56.2         UG        1          0
        224.0.0.0            192.168.56.15        U         1          0 e1000g1
        127.0.0.1            127.0.0.1            UH        1          0 lo0


Notes

Note 1:  To see what privileges are available on the overall system,
    execute 'ppriv -l'.  To get further information, execute 'ppriv -lv'
    or see the privileges(5) man page:
        root@snorkle [0] /bin/ppriv -l
        contract_event
        contract_observer
        cpc_cpu
        dtrace_kernel
        dtrace_proc
        <snip...>
        root@snorkle [0] /bin/ppriv -lv
        contract_event
                Allows a process to request critical events without limitation.
                Allows a process to request reliable delivery of all events on
                any event queue.
        contract_observer
                Allows a process to observe contract events generated by
                contracts created and owned by users other than the process's
                effective user ID.
                Allows a process to open contract event endpoints belonging to
                contracts created and owned by users other than the process's
                effective user ID.
        cpc_cpu
                Allow a process to access per-CPU hardware performance counters.
        dtrace_kernel 
                Allows DTrace kernel-level tracing.
        dtrace_proc
                Allows DTrace process-level tracing.
                Allows process-level tracing probes to be placed and enabled in
                processes to which the user has permissions.
        dtrace_user 
        <snip...>
Note 2:  Default privileges allowed to a user:
        johnc@snorkle [0] /bin/ppriv -v $$
        501:    -ksh
        flags = <none>
                E: file_link_any,proc_exec,proc_fork,proc_info,proc_session
                I: file_link_any,proc_exec,proc_fork,proc_info,proc_session
                P: file_link_any,proc_exec,proc_fork,proc_info,proc_session
                L: contract_event,contract_observer,cpc_cpu,dtrace_kernel,... 
        johnc@snorkle [0]

    E => effective privileges currently in effect
    I => privileges inherited on exec
    P => the maximum set of privileges for the process
    L => upper limit of privileges a process and its offspring can obtain

    "basic" privileges:

        file_link_any
                Allows a process to create hardlinks to files owned by a uid
                different from the process' effective uid.

        proc_exec
                Allows a process to call execve().

        proc_fork
                Allows a process to call fork1()/forkall()/vfork()

        proc_info
                Allows a process to examine the status of processes other
                than those it can send signals to.  Processes which cannot
                be examined cannot be seen in /proc and appear not to exist.
     
        proc_session
                Allows a process to send signals or trace processes outside its
                session.
Note 3:  The parameters for 'roleadd' are very similar to 'useradd'.
    If not specified, the default role values are::
        root@snorkle [0] /usr/sbin/roleadd -D
        group=other,1  project=default,3  basedir=/home
        skel=/etc/skel  shell=/bin/pfsh  inactive=0
        expire=  auths=  profiles=All  limitpriv=
        defaultpriv=  lock_after_retries=
Note 4:  Rather than assigning privileges, we could have updated
    /etc/security/exec_attr, associating each command (and tcpdump)
    to the new "NetRole" profile.  We didn't since this was entirely an
    exercise in using privileges.

Comments

Popular posts from this blog

Solaris. remove unusable scsi lun

Solaris remove unusable or failing scsi lun 1. The removed devices show up as drive not available in the output of the format command: # format Searching for disks...done ................      255. c1t50000974082CCD5Cd249 <drive not available>           /pci@3,700000/SUNW,qlc@0/fp@0,0/ssd@w50000974082ccd5c,f9 ................      529. c3t50000974082CCD58d249 <drive not available>           /pci@7,700000/SUNW,qlc@0/fp@0,0/ssd@w50000974082ccd58,f9 2. After the LUNs are unmapped Solaris displays the devices as either unusable or failing. # cfgadm -al -o show_SCSI_LUN | grep -i unusable # # cfgadm -al -o show_SCSI_LUN | grep -i failing c1::50000974082ccd5c,249       disk         connected    configured   failing c3::50000974082ccd58,249 ...

memory error detect XSCF uboot

If you see something like this when you poweron you server: memory error detect 80000008, address 000002d0 data 55555555 -> fbefaaaa capture_data hi fbefaaaa lo deadbeef ecc 1b1b capture_attributes 01113001 address 000002d0 memory error detect 80000008, address 000002d4 data aaaaaaaa -> deadbeef capture_data hi fbefaaaa lo deadbeef ecc 1b1b capture_attributes 01113001 address 000002d4 memXSCF uboot  01070000  (Feb  8 2008 - 11:12:19) XSCF uboot  01070000  (Feb  8 2008 - 11:12:19) SCF board boot factor = 7180     DDR Real size: 256 MB     DDR: 224 MB Than your XSCF card is broked. Replace it with new one. After that it will ask you for enter chassis number - located at front of the server XSCF promt to enter your chasses number ( is a S/N of your server ): Please input the chassis serial number : XXXXXXX 1:PANEL Please select the number : 1 Restoring data from PANEL to XSCF#0. Please wait for se...

SPARC OBP cheatsheet

Boot PROM Basics Boot PROM(programmable read only memory): It is a firmware (also known as the monitor program) provides: 1. basic hardware testing & initialization before booting. 2. contains a user interface that provide access to many important functions. 3. enables the system to boot from wide range of devices. It controls the system operation before the kernel becomes available. It provides a user interface and firmware utility commands known as FORTH command set. These commands include the boot commands, the diagnostic commands & the commands for modifying the default configuration. Command to determine the version of the Open Boot PROM on the system: # /usr/platform/'uname -m'/sbin/prtdiag -v (output omitted) System PROM revisions: ---------------------- OBP 4.16.4 2004/12/18 05:21 Sun Blade 1500 (Silver) OBDIAG 4.16.4.2004/12/18 05:21 # prtconf -v OBP 4.16.4 2004/12/18 05:21 Open Boot Architectures Standards: It is based on IEEE standard #1275, accord...