PSARC 2007/601 FastTrack timeout 12/05/2007 - "spec.txt" added to the materials directory
David Chieu
David.Chieu at sun.com
Tue Jan 8 11:28:11 PST 2008
Gary,
Happy New Year!
Just want to touch bases with you on 2007/601. The project team has
implemented your suggestions over the break. If there is no other
comment, we believe this case is converged. Thanks again for your
generous help.
-- David Chieu
Mark Logan wrote:
> Hi Gary,
> Thanks for meeting with us Tuesday.
> Here is my understanding of our conversation:
> Keep /dev/heci owned by root, r/w by owner only.
> In the the SMF service description for LMS, run as root,
> privileges='basic'. (I have attached the file.)
> Change the LMS daemon to use setuid to "noaccess" after opening
> /dev/heci.
> Mark
>
> Gary Winiger wrote:
>>> I'm not sure what you mean by "noaccess". Do you want us to change
>>> the method_context for LMS from "root:root" to "noaccess:noaccess"?
>>>
>>
>> As stated in the security best practice:
>> http://opensolaris.org/os/community/arc/bestpractices/security-questions
>> "If this project uses any privileged operations beyond what
>> a common user (e.g. "noaccess") can perform, why those are
>> necessary and how they are granted."
>>
>> The point is to implement the principle of least privilege,
>> not to say you must run as noaccess:noaccess.
>>
>> What is the minimum needed for this service? That is anything
>> above noaccess:noaccess permitted set = "basic'?
>>
>> Gary..
>>
>
More information about the opensolaris-arc
mailing list