2008/046 Process Contract Decorations
Antonello Cruz
Antonello.Cruz at sun.com
Fri Jan 25 07:40:55 PST 2008
Gary Winiger wrote:
>> There is no security vulnerability in not requiring privilege to set the
>> "Service FMRI". Requiring privilege has the goal of making the term
>> "Service FMRI" a trusted, system-wide name for observability purposes.
>> Just as the SMF service FMRI is today.
>
> Hummm, is that really worth adding a privilege and requiring
> ctrun to be called with that privilege? What's the risk of
> the FMRI being spoofed on a contract?
The FMRI term as proposed is intended to allow an administrator to
reliably identify where each contract on the system originates from.
Since creating a new contract doesn't require privilege, permitting any
contract creator to set the FMRI term limits observability and impedes
forensic analysis.
>
> What Rights Profile is being proposed to grant ctrun privilege?
A new Rights Profile named "Process Contract Identifier" should be
amended to this case.
> And who should be granted this profile?
Users who are responsible for creating service-like collections of
processes that the administrator has decided should be identified
separately from services started by SMF
Antonello
More information about the opensolaris-arc
mailing list