Amendments to pconsole fast-track [PSARC/2009/275 FastTrack timeout 05/08/2009]

Norm Jacobs Norm.Jacobs at sun.com
Fri May 1 15:45:37 PDT 2009 

Gary Winiger wrote:
>> Amendment 1:
>>
>> The pconsole-bin binary requires elevated privilege to be useful.  We
>> request to move the binary from the originally stated /usr/bin to
>> /usr/sbin, in line with where other binaries requiring privilege
>> usually exist.
>>
>> Amendment 2:
>>
>> A new execution profile and attribute will be defined.  The specific
>> RBAC additions are:
>>
>> /etc/security/prof_attr:
>> Parallel Console Access:::Connect to remote consoles with pconsole:
>>
>> /etc/security/exec_attr:
>> Parallel Console Access:suser:cmd:::/usr/sbin/pconsole-bin:euid=0
>>     
>                           ^^^^^                              ^^^^^^
> 	This is fine for S7-S9, but not for S10 forward.
> 	exec_attr(4):
>      policy    The security policy that is  associated  with  the
>                profile entry. The valid policies are suser (stan-
>                dard Solaris superuser) and solaris.  The  solaris
>                policy  recognizes privileges (see privileges(5));
>                the suser policy does not.
>
>                The solaris and suser policies can coexist in  the
>                same  exec_attr database, so that Solaris releases
>                prior to the current release  can  use  the  suser
>                policy  and  the current Solaris release can use a
>                solaris policy. solaris is a superset of suser; it
>                allows  you  to  specify privileges in addition to
>                UIDs. Policies that are specific  to  the  current
>                release  of  Solaris  or  that  contain privileges
>                should use solaris. Policies that use UIDs only or
>                that  are  not  specific  to  the  current Solaris
>                release should use suser.
> 	
> 	What are the elevated privileges and why are they required?
> 	Just those privileges should be specified in the privs= attribute.
> 	Why is there a need to specify a uid?
>   
I guess that since I filed the bug that caused these amendments to be 
filed, I will chime in.

pconsole appear to do the typical seteuid(getuid()) at startup, then 
elevates it's euid when it needs to to use ioctl(c->fd, TIOCSTI, &kar).

TIOCSTI appears to require  elevated privilege.  streamio.c appears to 
do the auth checking in the kernel using secpolicy_sti(), which equates 
to* return* (secpolicy_require_set 
<http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/uts/common/os/policy.c#secpolicy_require_set>(cr 
<http://src.opensolaris.org/source/s?defs=cr&project=/onnv>, 
PRIV_FULLSET 
<http://src.opensolaris.org/source/s?defs=PRIV_FULLSET&project=/onnv>, 
NULL <http://src.opensolaris.org/source/s?defs=NULL&project=/onnv>));

It looks like euid=0 is the smallest hammer that we have to get you 
there, but if you have a smaller hammer than euid=0 that gets you there, 
than that would be the appropriate thing to do.

    -Norm

More information about the opensolaris-arc mailing list