Section 5.5.11. Privilege Debugging
5.5.11. Privilege DebuggingProcess privileges radically change the way in which privileged operations work. While we plan on keeping just slap uid 0 working for the time being, it is important to be able to determine exactly which privileges are missing when we try to minimize the set of privileges for a new application. Privilege debugging can also be used to determine exactly what privileges specific Solaris utilities need for specific tasks. During the development of our prototype, we found that logging of failures alone was sufficient to compute the set of privileges needed for something as complex as a nightly build. We have therefore introduced a per-process flag, PRIV_DEBUG, which causes kernel_printf() to log privilege failures. These messages then appear on the terminal associated with the process. PRIV_DEBUG can be set and unset with setpflags(2). We have also introduced a global kernel tunable, priv_debug, settable through system(4) or with mdb(1), which uses cmn_err(9f) to turn on privilege failure logging for all applications, thus capturing privilege debugging information in the system logs. The ppriv(1) utility lets us set and unset the per-process flag and run processes with the flag set. We can use this feature both to determine exactly which privileges are required for certain actions or which privileges are actually used by certain set-uid applications by running them as plain executables. sol10$ cat /etc/shadow cat: cannot open /etc/shadow sol10$ ppriv -e -D cat /etc/shadow cat[12341]: missing privilege "file_dac_read" (euid = 21782), needed at ufs_iaccess+0xfc cat: cannot open /etc/shadow sol10$ cp /usr/sbin/ping /tmp sol10$ /tmp/ping localhost /tmp/ping: socket Permission denied sol10$ ppriv -e -D /tmp/ping localhost ping[12373]: missing privilege "proc_setid" (euid = 21782), needed at seteuid+0x76 ping[12373]: missing privilege "net_rawaccess" (euid = 21782), needed at icmp_open+0xd /tmp/ping: socket Permission denied The seteuid(2) failure can directly be attributed to old-style privilege bracketing done by ping(1m); the return value is obviously not checked. To make privilege failures more obvious for the uninitiated users of Solaris enhanced with privileges, we use our extended /proc interfaces and report the missing privilege after the error code in TRuss output. sol10$ truss -t open cat /etc/shadow open("/var/ld/ld.config", O_RDONLY) Err#2 ENOENT open("/usr/lib/libc.so.1", O_RDONLY) = 3 open("/usr/lib/libdl.so.1", O_RDONLY) = 3 open("/usr/lib/locale/en_US/en_US.so.2", O_RDONLY) = 3 open64("/etc/shadow", O_RDONLY) Err#13 EACCES [file_dac_read] cat: cannot open /etc/shadow sol10$ truss -t so_socket /tmp/ping localhost so_socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP, "", SOV_XPG4_2) = 5 so_socket(PF_INET6, SOCK_RAW, IPPROTO_ICMPV6, "", SOV_XPG4_2) Err#13 EACCES [net_rawaccess] /tmp/ping: socket Permission denied |
EAN: 2147483647
Pages: 244