PSARC 2007/601 FastTrack timeout 12/05/2007 - "spec.txt" added to the materials directory
Mark Logan
Mark.Logan at sun.com
Thu Dec 20 11:02:40 PST 2007
Hi Gary,
Thanks for meeting with us Tuesday.
Here is my understanding of our conversation:
Keep /dev/heci owned by root, r/w by owner only.
In the the SMF service description for LMS, run as root,
privileges='basic'. (I have attached the file.)
Change the LMS daemon to use setuid to "noaccess" after opening /dev/heci.
Mark
Gary Winiger wrote:
>> I'm not sure what you mean by "noaccess". Do you want us to change the
>> method_context for LMS from "root:root" to "noaccess:noaccess"?
>>
>
> As stated in the security best practice:
> http://opensolaris.org/os/community/arc/bestpractices/security-questions
> "If this project uses any privileged operations beyond what
> a common user (e.g. "noaccess") can perform, why those are
> necessary and how they are granted."
>
> The point is to implement the principle of least privilege,
> not to say you must run as noaccess:noaccess.
>
> What is the minimum needed for this service? That is anything
> above noaccess:noaccess permitted set = "basic'?
>
> Gary..
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lms.xml
Type: text/xml
Size: 2568 bytes
Desc: not available
URL: <http://mail.opensolaris.org/pipermail/opensolaris-arc/attachments/20071220/c03882af/attachment.xml>
More information about the opensolaris-arc
mailing list