Amendments to pconsole fast-track [PSARC/2009/275 FastTrack timeout 05/08/2009]
Norm Jacobs
Norm.Jacobs at Sun.COM
Wed May 6 00:50:47 PDT 2009
Gary Winiger wrote:
>> /etc/security/prof_attr:
>> Parallel Console Access:::Connect to remote consoles with pconsole:
>>
>
> To whom/how is this Rights Profile granted?
>
> Also note that a help file needs to come with the addition of
> a Rights Profile. See:
> http://opensolaris.org/os/community/arc/bestpractices/rbac-profiles/
>
>
>> /etc/security/exec_attr:
>> Parallel Console Access:suser:cmd:::/usr/sbin/pconsole-bin:euid=0
>>
>
> I've not seen a conclusion on privileges/uids.
>
It appears that unless the policy around TIOCSTI changes to allow the
device owner to use it, then pconsole-bin needs to run with euid=0 to be
useful. It seemed like creating a rights profile for this and allowing
assignment of that rights profile to a select set of users made more
sense than making pconsole-bin suid root. With a rights profile, our
customers can control access to it by assigning this profile to users
that have a need for pconsole. With it suid root, anyone can use it and
potentially use it to effectively hijack someone else's session. With
no rights profile and no suid root, you have to become root to use it.
As for who is most likely to use it and therefore need access to the
profile, I expect, based on the original case, it will be sysadmins
managing clusters.
-Norm
More information about the opensolaris-arc
mailing list