Wednesday Feb 20, 2013

Generating a crypt_sha256 hash from the CLI

When doing a completely hands off Solaris installation the System Configuration profile needs to contain the hash for the root password, and the optional inital non root user.

Unfortunately Solaris doesn't currently provide a simple to use command for generating these hashes, but with a very simple bit of Python you can easily create them:

#!/usr/bin/python

import crypt, getpass, os, binascii

if __name__ == "__main__":
    cleartext = getpass.getpass()
    salt = '$5$' + binascii.b2a_base64(os.urandom(8)).rstrip() + '$'

    print crypt.crypt(cleartext, salt)



        
    

Tuesday Feb 19, 2013

Linux YAMA Security equivalents in Solaris

The Linux YAMA Loadable Security Module (LSM) provides a small number of protections over and above standard DAC (Discretionary Access Controls).  These can be roughly mapped over to Solaris as follows:

YAMA_HARDLINKS: 

This protects against creation of hardlinks to files that a user does not have access to.  For some strange reason POSIX still requires this behaviour.

Closest Solaris equivalent is removing the file_link_any basic privilege from a process/service/user, the description of file_link_any is:

    Allows a process to create hardlinks to files owned by a uid different from the process' effective uid.

YAMA_PTRACE:

This YAMA protection is designed to protect process running as the same uid from being able to attach to each other and trace them using PTRACE.

For mapping this to Solaris I'd recommend removal of two of the proc basic privileges, this will actually exceed the protection that YAMA_PTRACE gives:

proc_session
    Allows a process to send signals or trace processes outside its session.
proc_info
    Allows a process to examine the status of processes other than those it can send signals to.  Processes which cannot be examined cannot be seen in /proc and appear not to exist.

YAMA_SYMLINKS:

The description of the Linux YAMA LSM that I looked at as one more protection YAMA_SYMLINKS, there is no Solaris equivalent to this one that I can find.  It is intended to protect against race conditions on symlinks in world-writable directories (eg /tmp).  This is a nice protection but we don't have an equivalent of it in Solaris at this time but I think it could be implemented as another basic privilege.

Reminder on Solaris Basic Privileges

As a reminder basic privileges in Solaris are those which processes normally have because they were not normally considered to be security violations in the UNIX process model.  A basic privilege can be removed from an SMF service in its method_credential section, from a users login session (usermod -K defaultpriv=basic,!file_link_any <username>).  So there is no need to patch/rebuild/update the Solaris kernel to be able to take advantage of these.  In fact you can even change a running process using ppriv(1).

Monday Feb 11, 2013

Serial Console with VirtualBox on Solaris host

First make sure you have nc(1) available it is in the pkg:/network/netcat package.

Then configure COM1 serial port in the VM settings as a pipe.  Tell VirtualBox the name you want for the pipe and get it to create it.

You can also set up the serial port from the CLI using the VBoxManage command, here my VM is called "Solaris 11.1 Text Only".

$ VBoxManage modifyvm "Solaris 11.1 Text Only" --uart1 0x3F8 4 --uartmode1 server /tmp/solaris-11.1-console.pipe

 

Start up the VM and in a terminal window run nc and the ttya output of the VM will appear in the terminal window.

$ nc -U /tmp/solaris-11.1-console.pipe
SunOS Release 5.11 Version 11.1 64-bit
Copyright (c) 1983, 2012, Oracle and/or its affiliates. All rights reserved.


About

DarrenMoffat

Search

Categories
Archives
« February 2013 »
MonTueWedThuFriSatSun
    
1
2
3
4
5
6
7
8
9
10
12
13
14
15
16
17
18
21
22
23
24
25
26
27
28
   
       
Today