too many predefined UID/GID values? [was: OpenLDAP for OpenSolaris]
James Carlson
james.d.carlson at sun.com
Fri Aug 8 13:27:52 PDT 2008
Glenn Brunette writes:
> That is a non-starter for many of our customers who are looking for
> unique credentials for each of their services -- especially those
> that may be running under the same OS instance/zone. Not only does
> this help with accountability (syslog and audit) but having unique
> credentials will also help contain a compromise should one
> (unprivileged) service be exploited. If you were running apache and
> mysql (for example) as the same UID, a flaw (w/arbitrary code execution)
> in one could lead to the direct compromise of the other running service.
> Taking away proc_session from each service could help with this however.
Yes, I think LP is a better answer for limiting damage due to code
flaws.
The apache and mysql examples might not be the best ones -- those are
cases where you do have related file permissions, and you'll probably
want a UID just for that.
--
James Carlson, Solaris Networking <james.d.carlson at sun.com>
Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084
MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677
More information about the opensolaris-arc
mailing list