About Apache2 with RBAC
in [Solaris]
|
Prev: How to find memory corruption when malloc is not the cause?
Next: Does anyone know of a User Group for Sun Cluster?
From: FatAnt on 23 Jul 2010 13:58 Hi all, I'm trying to configure Apache2 with RBAC for reduce some privileges and run this service only with user webservd...but the parent process (root) still exists! my steps: # svcadm -v disable -s apache2 # svccfg -s apache2 svc:/network/http:apache2> setprop start/user = astring: webservd svc:/network/http:apache2> setprop start/group = astring: webservd svc:/network/http:apache2> setprop start/privileges = astring: basic,! proc_session,!proc_info,!file_link_any,net_privaddr svc:/network/http:apache2> end # svcadm -v refresh apache2 # svcprop apache2 | grep ^start startd/ignore_error astring core,signal start/exec astring /lib/svc/method/http-apache2\ start start/timeout_seconds count 60 start/type astring method start/user astring webservd start/group astring webservd start/privileges astring basic,!proc_session,!proc_info,! file_link_any,net_privaddr # svcadm -v enable -s apache2 # ps -ef | grep apache2 webservd 4205 4204 0 19:03:22 ? 0:00 /usr/apache2/bin/httpd -k start root 4204 1 0 19:03:21 ? 0:00 /usr/apache2/bin/httpd -k start webservd 4209 4204 0 19:03:22 ? 0:00 /usr/apache2/bin/httpd -k start webservd 4208 4204 0 19:03:22 ? 0:00 /usr/apache2/bin/httpd -k start webservd 4206 4204 0 19:03:22 ? 0:00 /usr/apache2/bin/httpd -k start webservd 4207 4204 0 19:03:22 ? 0:00 /usr/apache2/bin/httpd -k start ....and obviously... # ppriv 4204 4204: /usr/apache2/bin/httpd -k start flags = <none> E: all I: basic P: all L: all What's wrong? @!#!* Any idea? PS: sorry about my english
From: tim.wort on 24 Jul 2010 12:51 On Jul 23, 11:58 am, FatAnt <fat...(a)blackhole.null> wrote: > Hi all, > I'm trying to configure Apache2 with RBAC for reduce some privileges and > run this service only with user webservd...but the parent process (root) > still exists! > > my steps: > > # svcadm -v disable -s apache2 > > # svccfg -s apache2 > svc:/network/http:apache2> setprop start/user = astring: webservd > svc:/network/http:apache2> setprop start/group = astring: webservd > svc:/network/http:apache2> setprop start/privileges = astring: basic,! > proc_session,!proc_info,!file_link_any,net_privaddr > svc:/network/http:apache2> end > > # svcadm -v refresh apache2 > > # svcprop apache2 | grep ^start > startd/ignore_error astring core,signal > start/exec astring /lib/svc/method/http-apache2\ start > start/timeout_seconds count 60 > start/type astring method > start/user astring webservd > start/group astring webservd > start/privileges astring basic,!proc_session,!proc_info,! > file_link_any,net_privaddr > > # svcadm -v enable -s apache2 > > # ps -ef | grep apache2 > webservd 4205 4204 0 19:03:22 ? 0:00 /usr/apache2/bin/httpd -k start > root 4204 1 0 19:03:21 ? 0:00 /usr/apache2/bin/httpd -k start > webservd 4209 4204 0 19:03:22 ? 0:00 /usr/apache2/bin/httpd -k start > webservd 4208 4204 0 19:03:22 ? 0:00 /usr/apache2/bin/httpd -k start > webservd 4206 4204 0 19:03:22 ? 0:00 /usr/apache2/bin/httpd -k start > webservd 4207 4204 0 19:03:22 ? 0:00 /usr/apache2/bin/httpd -k start > > ...and obviously... > # ppriv 4204 > 4204: /usr/apache2/bin/httpd -k start > flags = <none> > E: all > I: basic > P: all > L: all > > What's wrong? @!#!* > Any idea? > > PS: sorry about my english This link is the documentation to do what you are attempting, in this document Apache is in a zone but that makes no difference. We do this very thing as a lab in the Solaris 10 Security course and I wrote that lab based on this document by Glenn Brunette. As I know this works and I have done it a number of times I surmise that the properties that are set to the defaults (as noted in the white paper) may be required although, to be honest, I have never tried without adding those defaults. You did not comment about the PID or LOG files but failure to do that will result in the service failing to start, the rest of you message seems to indicate you procedure was correct. So... set the other properties, I would be interested to know if this corrects the problem.
From: FatAnt on 24 Jul 2010 14:03 tim.wort(a)Inklingresearch.com wrote: > This link is the documentation to do what you are attempting... .....and the link is? ;-) PS: The document by Glenn Brunette is 819-2887....correct?
From: FatAnt on 25 Jul 2010 08:16 Hi Tim, Solved ...but I applied some differences from the sample document (819-2680/819-2887): --- Now the user webservd has the ability to restart the service (with svcadm disable/restart..etc). --- All Apache files, logs, conf., pid etc. are only owned by user webservd because I didn't created other administrative roles (like svcadm or webdev) --- Authorizations "sunw.smf.manage.http/apache2" and "sunw.smf.modify.application.http/apache2" have been applied to user webservd # ps -ef | grep apache2 webservd 2599 2596 0 12:52:06 ? 0:00 /usr/apache2/bin/httpd -k start webservd 2600 2596 0 12:52:06 ? 0:00 /usr/apache2/bin/httpd -k start webservd 2597 2596 0 12:52:06 ? 0:00 /usr/apache2/bin/httpd -k start webservd 2598 2596 0 12:52:06 ? 0:00 /usr/apache2/bin/httpd -k start webservd 2601 2596 0 12:52:06 ? 0:00 /usr/apache2/bin/httpd -k start webservd 2596 1 0 12:52:05 ? 0:00 /usr/apache2/bin/httpd -k start # ppriv 2596 2596: /usr/apache2/bin/httpd -k start flags = <none> E: basic,!file_link_any,net_privaddr,!proc_info,!proc_session I: basic,!file_link_any,net_privaddr,!proc_info,!proc_session P: basic,!file_link_any,net_privaddr,!proc_info,!proc_session L: all # netstat -naf inet | grep '*.80' *.80 *.* 0 0 49152 0 LISTEN
From: tim.wort on 25 Jul 2010 10:41
On Jul 24, 12:03 pm, FatAnt <fat...(a)blackhole.null> wrote: > tim.w...(a)Inklingresearch.com wrote: > > This link is the documentation to do what you are attempting... > > ....and the link is? ;-) > > PS: The document by Glenn Brunette is 819-2887....correct? The link is http://www.sun.com/blueprints/0505/819-2680.pdf Damn I hate it when I do that... :^) This is called "Limiting Service Privileges in the Solaris 10 Operating System" He wrote or co-authored two of Blue Prints on the subject, if I remember correctly one containsa section on smf auths as well. Sorry about that... |