PSARC 2002/188 Privileges for Solaris Inception review 12 June 2002 dwc-1: Section 3.6 last paragraph: _POSIX_CHOWN_RESTRICTED No. _POSIX_CHOWN_RESTRICTED is not per process. The privilege allowing a process to give a file away is now per process. s/; the property _POSIX_CHOWN_RESTRICTED is now per-process// dwc-2: Section 4.4 paragraph between the two tables: typo s/these some of these interfaces/these interfaces/ dwc-3: Section A: privilege PRIV_SYS_NFS and Section B: privileges(5) man page: Description of PRIV_SYS_NFS Is this related to PRIV_NET_PRIVADDR? Do I need both privileges to bind to an NFS reserved port? (Or are the NFS reserved ports higher than port number 1023? If so, why do I need any privilege?) dwc-4: Section A: privilege PRIV_USER_CHOWN and Section B: privileges(5) man page: Description of PRIV_USER_CHOWN No. _POSIX_CHOWN_RESTRICTED is always in effect. The point is that if rstchown is not set, every process is granted this privilege. s/; {_POSIX_CHOWN_RESTRICTED} is not in effect for this process// dwc-5: Section B: setppriv(2) & setprivflags(2) man pages: Synopsis Why doesn't #include instead of requiring the user to include both headers? Note that the priv_sets(3C) man page uses without requiring the user to #include . dwc-6: Section B: priv_sets(3C) man page: You need a Return Values section on this page. The description of priv_ismember() doesn't say what happens if ``priv'' is not a member of ``sp''. (Given what is here, a valid implementation of priv_ismember() would be "return (B_TRUE);".) dwc-7: Section B: priv_names(3C) man page: Description, 1st paragraph: typo s/set is returns/set and returns/ dwc-8: Section B: privileges(5) man page: Description, 1st paragraph: typo s/developers and opportunity/developers an opportunity/ dwc-9: Section B: privileges(5) man page: Description, 1st paragraph: How is a "set of abilities" different from "set of privileges"? dwc-10: Section B: ddi_getprivbyname(9F) man page: Description, 3rd paragraph: typo s/``priv_'' privilege/``priv_'' prefix/ dwc-11: Section B: ddi_getprivbyname(9F) man page: Return Values, 1st paragraph: typo s/-EINVAL privilege doesn't/-EINVAL if the priv argument doesn't/ * indicates discussion points should there be time constraints. *gw-0 It seems to me that suid 0 programs are equivalent to X.F = X.A = all. Is this correct? *gw-1 label0 concerns me. Trusted Solaris in the past (1.x) had a privilege that implied this process could be treated as trusted because it was a "special system process". That turned out to be too easy to abuse. Present Trusted Solaris (2.x) has a flag set by the kernel in p0 and only clearable from userland. label0 seems like it's purpose could be served by such a flag. Or is label0 really a DAC override privilege for files owned by the "system user". Who changed all the files to be owned by root anyway ;-) Perhaps all system files should be owned by "sys" ;-}} A different name might be helpful. gw-2 auth_attr(4) what changes? Where might privilege definitions be stored for admin tools? gw-3 Audit details please: Will AUT_PRIV and AUT_UPRIV be used? Same syntax and semantics as in Trusted Solaris, but with Solaris privileges? AUE_prof_cmd privilege token with inheritable privs set. *gw-4 How will NFS and diskless work for a privileged aware app? *gw-5 Administrative model for user_attr(4), exec_attr(4) administration. gw-6 Use of both "-" and "!". Why both, why not just pick one? gw-7 exec_attr policy field is used in Trusted Solaris to distinguish its entries. "suser" --> "standard", how about "solaris"? *gw-8 Are there any new issues with rtld.so, such as processes with effective privileges must run from "secure" libraries and the loader should run without privileges? Are there any new places that crle needs to increment the "secure" libraries? *gw-9 How do customers define privileges they may wish to write daemons to interpret? For example, a door server may actually implement privileged functions. Or, a 3rd part loadable system call/driver. gw-10 How about a way for a door server to get the caller's privileges? gw-11 Consider "specialized" profiles to impart privilege to unchanged applications such as "boot", "inetd", "allocate", "cron". gw-12 I expect there will be a pam_unix_cred(5) to split out pam_sm_setcred() from pam_unix_auth(5). (Fast track to run soon.) It should be used instead of the proposed pam_privs(5). gw-13 Is going to be shipped? gw-14 If is only being shipped for reference, why ship it at all? gw-15 Should groupmember() be included with hasprocperm() and cr* friends? gw-16 Interface and output stability on all man pages. The Trusted Solaris man pages can be used as a model for including privilege comments. *gw-17 ppriv for tracing running processes and core files. Why not extend truss or mdb? *gw-18 Privilege debugging? You comment TS is insecure because it logs privilege failures and continues. How is the this project secure? In TS only "children of init -- Trusted Path" can enable debug tracing on a command. gw-19 exec login(1) maybe it should be eoled. *gw-20 Device protection please elaborate. Why not device_policy(4)? gw-21 How will cred caching (in clustering? and cachefs?) be handled especially with respect to potentially different privilege sizes? *gw-22 "User privileges" please pick a different name. User's are granted authorizations through the rights mechanisms. User's are not really granted privileges, programs (subjects) are granted privilege. maybe "default privileges" or something like that. It is really what they seem to be. gw-23 The backup for machine default for user_attr(4) (and others) is policy.conf(4). It should be interposed on "limitprivs, defaultprivs, maxprivs" before any final defaults. Perhaps there should be no final defaults (other than NIL) and the project ships policy.conf(4) with definitions. gw-24 Privilege definitions: * Missing proc_audit_[tcb, appl]. I see a large privilege difference between being able to create an audit record and manipulate the audit system sys_audit. Most administrative programs need to generate audit records, but they should not manipulate a process' audit characteristics nor the system wide audit state. This distinction has been required in the past by various GVMT entities. * proc_dumpcore seemed to be quite valuable in Trusted Solaris. How are dumps restricted in this project? How is that functionality granted in this project? Allows a TCB process to execute a new program which is set-user-ID, set-group-ID, or permits the use of privilege to have a ``core'' file created for it when taking the default action for SIGQUIT, SIGILL, SIGTRAP, SIGABRT, SIGEMT, SIGFPE, SIGBUS, SIGSEGV, SIGSYS, SIGXCPU, or SIGXFSZ signals. Allows a TCB process to have a ``core'' file created for it when taking the default action for SIGQUIT, SIGILL, SIGTRAP, SIGABRT, SIGEMT, SIGFPE, SIGBUS, SIGSEGV, SIGSYS, SIGXCPU, or SIGXFSZ signals. * priv_realtime. From customer requests, suggest this get added. to allow execution of realtime programs. See Andy T and Jim Litchfield for details. * differences with TS privs why? proc_owner, sys_audit, sys_config, sys_devices. * sys_resource definition seems incomplete. gw-25 privileges(5) "only privileges found in P can be added to E." IOM should be: "added to E or I." *gw-26 Why is proc_limitset needed? It seems to me that this is a needless complication. *gw-27 What's the intended distinction between Evolving, Stable and Public in the interface table, especially getprivinfo Evolving and setppriv Public? rbc-1 Project scope? Will Trusted Solaris be ported to use this project? Will programming language debuggers need to be changed? Will setuid Solaris programs be modified to use this project? rbc-2 Sec. 4.4 says some of the listed functions should be part of FSI. Which ones? rbc-3 Sec. 6.3, How will user know which are Stable vs. Evolving? tcm-1 Did you consider the compatability strategy of having limitation instead of privilege sets (action is allowed if effective uid == 0 and no limitation)? I think you can get the effect of C.E, C.L and C.P (now C.Forbidden) without PA/NPA. tcm-2 What happens when Solaris defines a new permission? Is there a way for an application to get priviliges that it couldn't have known about when it was compiled? tcm-3 What are the anticipated uses of C.I ? jb-0 Why a new namespace? Why not extend the RBAC authorizations mechanism to have authorizations be per-process, inherited, and available to the kernel? That would unify "userland" and "kernel" privileges so that the distinction would be unimportant. Why is the administrative mechanism for granting special powers different when those special powers are implemented in the kernel, than when they are implemented in user mode code? (added during the inception review) jb-1 Why is writing to /dev/kmem significantly different from writing to /kernel/genunix, from a security perspective? jb-2 Could privileges be merged with groups? In the file system world, groups seem to be the rough equivalent. Since I'm a member of group "sac", I'm allowed to write sac files. Perhaps being a member of group "priv_file_chown" would allow one to do chown(). PSARC 2002/188 Privileges for Solaris Commitment review 16 October 2002 tcm-4 I'm still confused about how the set of privileges can evolve. Is the Basic Priv scheme equivalent to haveing priviledges entitled Permits all the actions not covered by any other priviledge as of version N permanently for all N where any program is entitled to the one for the version it was built against agt-7 If one of the goals is to allow deployment of realtime applications without PRIV_SYS_CONFIG, you should add a separate privilege for the p_online functionality (or add it to PRIV_SYS_PSET; this is commonly used to block interrupts to selected CPUs. agt-8 3.5: I'm not sure I understand the requirement of full privileges for controlling or modifying uid 0 things. Why is this necessary if the controlling process is euid 0, and the controlled process has a limit set that is a subset of that of the controlling process? agt-9 4.3: What are the compatibility and performance implications of the dblk_t change? Sounds like at least the behavior of socket and bind may change. agt-10 4.11: I assume the 660 permissions on /dev/ip are there for a reason, do we know the implications of taking away access for group sys? Who is currently taking advantage of this? agt-11 Any other potentially incompatible changes to device permissions planned? agt-12 I'm not clear on the purpose of extra_privs(4). agt-13 The answer to gw-9 (inception) talks about allowing customers to define privileges, but I don't see any interfaces for supporting that. Did I miss them? agt-14 Why make the format of device_policy public? If the *_drv utilities should be used for updates, why allow "vi" access as well? agt-15 I don't understand the purpose of the -I flag to devpolicy(1M). Is this just to push the file into the kernel on boot? (If so, see agt-16.) agt-16 Why isn't the device_policy file managed by devfsadm, like other device configuration files? agt-17 The -p option to add_drv should take multiple comma-separated policies (like -m) since a single driver can have multiple policies. jdc-1 What happens with kill(2)? One of the hidden assumptions of a setuid program is that no ordinary user can send it a signal. A process that has instead some acquired privileges seems to lack that protection. I see a privilege to control someone sending a signal, but how do I (as the person converting a setuid root application to a PA application) prevent reception from an untrusted user? jdc-2 Nit: using 'void' for ucred_t disables some lint checks; suggest blind structure tag instead ('struct ucred_s; typedef struct ucred_s ucred_t;'). Or even a typedef that is itself a pointer so that you have 'uid_t ucred_geteuid(ucred_t);'. (The latter, I think, encourages good developer hygiene.) jdc-3 Nit: (response to inception gw-27) 'Evolving' implies 'Public'. jdc-4 Nit: 4.4: private details aren't Unstable unless we're telling customers about them, so secpolicy* is (possibly) Consolidation Private for now. (And should be in the tables.) jdc-5 6.2: Type of 'Private' for priv_impl.h (and others)? Consolidation or Project? rmc-1 Rationale for overloading EPERM at the expense of delivering cryptic error messages to end users. Is there a compatible way to extend the error namespace or deliver more meaningful errors via perror()? rmc-2 Are we adding an ISM privilege? Since this is equivalent to an uncontrolled mlock(), we could conceivably add another privilege or enhance ISM to use PRIV_PROC_LOCK_MEMORY. rmc-3 Should ppriv allow the system administrator to list the full set of privilege options that can be applied to a process? rmc-4 How can I write an administration application that is aware of the privilege options that can be applied, and is able to adopt and expanded set without recompiling the application? I don't set how the namespace is dynamically discoverable... rmc-5 The truss command will be the first place an administrator is likely to go to debug a privilege issue. Can we enhance truss to understand and print privilege debugging information at the time of a system call? gw-1 It still seems to me that processes with privilege should be restricted to the "secure" libraries. I don't see that this proposal does so. What am I missing? gw-2 Missed the point of boot, inetd, allocate, cron rights profiles. gw-3 prochasprocperm is not documented. Maybe it should be in ddi_cred(9). gw-4 How will programmers know to use sec_policy* or add new ones? How will they know to use privileges in apps? gw-5 3.1 Page 15 last paragraph, is there a difference between basic and default privileges? gw-6 forced privilege emulation? What's the proposal? gw-7 How does a process become pa in the presence of inheritable privs (page 18)? What are those privileges? gw-8 3.3.3 last para (-1). Note with allowed privs the idea is to pass privs around non priv apps from grandparent to grandchild across a parent which cannot use any privs. How will this restriction work in that light? gw-9 States: the prototype's privileges are listed in privileges(5). What are the proposed privileges? Are they the same as the prototype? gw-10 Taxonomy of /etc/system variables. gw-11 Seems hard to have daemons run as user daemon if they will support diskless. How will it be determined which daemons can run without uid == 0? (3.5 and 3.8) gw-12 Will QFS be supported? gw-13 What does it mean for sys_config to be evolving ans sys_suser_compat to be obsolete? Where is this noted in the public taxonomy? gw-14 user_attr(4) can suser and solaris co-exist? When is one selected over the other? gw-15 Will the UIs enforce defaultpriv <= limitpriv; maxpriv <= limitpriv? gw-16 How will it be made safe for programs like su, dtsession if the user has a reduced limit set. It seems I could lockscreen and never be able to get out of lockscreen. I'm very concerned that limitpriv will be a call generator. gw-17 I'd prefer device_policy(4) be project private. There are CLIs to administer it. It is classified as unstable. Why even expose it as an administrative interface? gw-18 Why is extra_privs(4) needed? It seems to me that when device_policy gets loaded into the kernel, new privileges listed there could be defined. gw-19 I don't understand file_setdac relative to file_setid. gw-20 proc_set_id seems to be missing: Allows a process to set the process group of a controlling terminal to one not in the process' process group. Allows a process to set the window size on a terminal not in its session. How are these controlled? gw-21 sys_devices seems incomplete: Allows a process to create device special files. Allows a process to use mknod(2) to create directory and regular files. Allows a process to revoke all access to a device special file. Allows a process to reassign a controlling terminal from one process to another. Allows a process to open a terminal already exclusively opened. Allows a process to revoke access to its controlling terminal. Allows a process to enable or disable keyboard abort processing. Allows a process to map frame buffer devices into its address space. Allows a process to enable or disable a disk's write-check capability. Allows a process to load a kernel loadable driver. Allows a process to control the Floating Point Accelerator. Allows a process to configure autopush STREAMS modules. Allows a process to configure the device driver policy table. Allows a process to successfully call a third party loadable module that calls DDI drv_priv. gw-22 sys_fs_config, sys_max_proc, sys_min_free seem to be missing. How are their functions restricted. Name sys_fs_config Allows a process to manipulate filesystem locks. Allows a process to set/clear the automatic update (delayed I/O) state of a filesystem. Allows a process to get meta disk allocation information. Allows a pro- cess to open a specified inode in a filesystem. Allows a process to set the last access time of a file system object. Name sys_maxproc Allows a process to create processes when the maximum number of processes for this process' owning user is exceeded. Allows a process to create the last avail- able process in the system. Name sys_minfree Allows a process to write to a filesystem whose avail- able storage space is below the minimum allowed. gw-23 sys_mount seems incomplete: Allows a process to determine the users of a filesystem. gw-24 sys_net_config and sys_nfs seem incomplete: Name sys_net_config Allows a process to configure a machine's network interfaces and routes. Allows a process to set a machine's host and domain names. Allows a process to set a machine's kerberos realm. Allows a process to load and unload host type, accreditation, and default information. Allows a process direct access to network devices. Allows a process to set endpoint names. Allows a process to use the rpcmod STREAMS module. Name sys_nfs Allows a process to start a kernel NFS daemon. Allows a process to start and stop a kernel NFS lock manager daemon. Allows a process to export directories for use by NFS clients. Allows a process to retrieve the NFS file handle for a path name. Allows a process to revoke NFS RPC credentials for a client it does not own. gw-25 To add more privs than pre-reserved seems to require a kernel recompile. How many spare privileges will there be? Will that be enough for Trusted Solaris? gw-26 gw-9 from inception, how do daemons add privileges? Equivalent of priv_getbyname(9F) PRIV_ALLOC. PSARC 2002/188 Privileges for Solaris Commitment review 15 January 2003 jdc-6 If "chmod 666 /dev/*mem no longer works" (as in the response to agt-11, then I assume this means that file modes on devices can restrict but not add permissions, correct? This looks like a well-known feature and a Stable interface. How does this incompatible change get communicated? rbc-4 Sun Cluster has a "proxy" file system that will need to be modified similar to the other file systems you are changing. Sun Cluster will need a set of marshal/unmarshal interfaces to pack/unpack a cred_t into an opaque array of bytes. You should probably talk with Kevin Fox if you haven't already. agt-18 The man pages for allocb_tmpl and allocb_cred seem to be missing. What do these do (in more detail than the interface table and change summary)? agt-19 The only DDI function to retrieve a cred_t pointer is ddi_get_cred, which only works in user context for the current thread. Is the ability to call priv_policy* and cr{get,set}* from interrupt and kernel context appropriate? agt-20 I'm having trouble imagining how a DDI compliant driver could make use of the crset* interfaces. Also making crgetref public seems like a bad idea - ref counts should be a private part of the implementation, not enshrined into a public interface. agt-21 Suggest considering removal of support for the ASU flag, rather than extending support of this abomination. agt-22 Why is PRIV_SYS_RESOURCE in the "unsafe set" of privileges required in the limit set to run a setuid executable? The documentation is also inconsistent on this point; Section 3.3.4 includes it, but privileges(5) doesn't. tcm-5 RFE: debugger hook for privilege failures. gw-1 defaultpriv and limitpriv in prof_attr. gw-2 How are the basic and unsafe sets administered? gw-3 setpflags EINVAL -> EPERM? to distinguish gw-4 Is full different from all? Is all defined different from "all". gw-5 How are privileged ioctls handled? gw-6 priv_getbyname flags parameter uint? gw-7 What's the value of PRIVNAME_MAX? gw-8 Nice job ;-) gw-9 Document nits, please see me.