Tuesday Feb 19, 2013

Linux YAMA Security equivalents in Solaris

The Linux YAMA Loadable Security Module (LSM) provides a small number of protections over and above standard DAC (Discretionary Access Controls).  These can be roughly mapped over to Solaris as follows:


This protects against creation of hardlinks to files that a user does not have access to.  For some strange reason POSIX still requires this behaviour.

Closest Solaris equivalent is removing the file_link_any basic privilege from a process/service/user, the description of file_link_any is:

    Allows a process to create hardlinks to files owned by a uid different from the process' effective uid.


This YAMA protection is designed to protect process running as the same uid from being able to attach to each other and trace them using PTRACE.

For mapping this to Solaris I'd recommend removal of two of the proc basic privileges, this will actually exceed the protection that YAMA_PTRACE gives:

    Allows a process to send signals or trace processes outside its session.
    Allows a process to examine the status of processes other than those it can send signals to.  Processes which cannot be examined cannot be seen in /proc and appear not to exist.


The description of the Linux YAMA LSM that I looked at as one more protection YAMA_SYMLINKS, there is no Solaris equivalent to this one that I can find.  It is intended to protect against race conditions on symlinks in world-writable directories (eg /tmp).  This is a nice protection but we don't have an equivalent of it in Solaris at this time but I think it could be implemented as another basic privilege.

Reminder on Solaris Basic Privileges

As a reminder basic privileges in Solaris are those which processes normally have because they were not normally considered to be security violations in the UNIX process model.  A basic privilege can be removed from an SMF service in its method_credential section, from a users login session (usermod -K defaultpriv=basic,!file_link_any <username>).  So there is no need to patch/rebuild/update the Solaris kernel to be able to take advantage of these.  In fact you can even change a running process using ppriv(1).

Wednesday Feb 29, 2012

Solaris 11 has the security solution Linus wants for Desktop Linux

Recently Linus Torvalds was venting (his words!) about the frustrating requirement to keep giving his root password for common desktop tasks such as connecting to a wifi network or configuring printers.

Well I'm very pleased to say that the Solaris 11 desktop doesn't have this problem thanks to our RBAC system and how it is used including how it is tightly integrated into the desktop.

One of the new RBAC features in Solaris 11 is location context RBAC profiles, by default we grant the user on the system console (ie the one on the laptop or workstation locally at the physical keyboard/screen) the "Console User" profile.  Which on a default install has the necessary authorisations and execution profiles to do things like joining a wireless network, changing CPU power management, and using removal media.   The user created at initial install time also has the much more powerful "System Administrator" profile granted to them so they can do even more without being required to give a password for root (they also have access to the root role and the ability to use sudo).

Authorisations in Solaris RBAC (which dates back in main stream Solaris to Solaris 8 and even further 17+ years in Trusted Solaris) are checked by privileged programs and the whole point is so you don't have to reauthenticate.  SMF is a very heavy user of RBAC authorisations.  In the case of things like joining a wireless network it is privileged daemons that are checking the authorisations of the clients connecting to them (usually over a door)

In addition to that GNOME in Solaris 11 has been explicitly integrated with Solaris RBAC as well, any GNOME menu entry that needs to run with elevated privilege will be exectuted via Solaris RBAC mechanisms.  The panel works out the least intrusive way to get the program running for you.  For example if I select "Wireshark" from the GNOME panel menu it just starts - I don't get prompted for any root password - but it starts with the necessary privileges because GNOME on Solaris 11 knows that I have the "Network Management" RBAC profile which allows running /usr/sbin/wireshark with the net_rawaccess privilege.   If I didn't have "Network Management" directly but I had an RBAC role that had it then GNOME would use gksu to assume the role (which might be root) and in which case I would have been prompted for the role password.  If you are using roleauth=user that password is yours and if you are using pam_tty_tickets you won't keep getting prompted.

GNOME can even go further and not even present menu entries to users who don't have granted to them any RBAC profile that allows running those programs - this is useful in a large multi user system like a Sun Ray deployment.

If you want to do it the "old way" and use the CLI and/or give a root password for every "mundane" little thing, you can still do that too if you really want to.

So maybe Linus could try Solaris 11 desktop ;-)

Monday Jan 10, 2011

Partial Response to "TechRadar: 20 things we'd change about installing software in Linux" with Solaris IPS [aka pkg(5) ]

TechRadar has an article today about "20 things we'd change about installing software in Linux" most of which is general good advice.  I found a few of the points very interesting considering how Solaris 11 Express is packaged using the Image Packaging System  (IPS); which was also used for OpenSolaris releases).

I've not commented on any of "the 20 things" that are to do with installing from source or packaging of source or filesystem layout since I don't believe they have anything to do with the packaging system, also IPS is by design a packaging system not a build and packaging system (like RPM).

"4. Easier adding of repositories"

We have that already with IPS in the form of .p5i files (see below).

"11. Get rid of -dev package hell"

The facet system in IPS packaging will help with this, if you are intending to build things from source you would set the appropriate facet and you would automatically get all the "developer" parts of packages.

"16. Link to package manager from web pages"

The .p5i file format allows for that for example "this link" points to the .p5i file in the Oracle Solaris 11 Express repository that will install the web/proxy/privoxy package.  If I click on that link on a Solaris system it will automatically start up the package manager to allow installation.  The .p5i file contains all the information necessary to add the appropriate repository (including any known mirrors and required certificates for SSL transport and any certificate information required for the package signing).  The .p5i files and links are automatically created when packages are published into a repository.

"20. Clean up old dependencies"

When uninstalling packages just specify the -r argument to "pkg uninstall" and it will recursively remove any packages 'require' dependencies on the initial package.  So that should catch many (but many be not all of these dependencies - since optional dependencies aren't removed by pkg uninstall -r).

Friday Aug 03, 2007

New Linux scheduler old Solaris one(s)

I find it interesting and slightly sad, given how low level a topic this really is, how much is being written about the new CFS scheduler being introduced into Linux. The sad part is how much flamage is flying around as a result of this from people not in the slightest bit involved in the desgin and development - this sadly is the ugly side of many open source groups.

OpenSolaris has multiple scheduling classes as well, actually Solaris had this and OpenSolaris inherited it when the source was opened up - but there is active work in this area going on, and the ability to realtively easily add more. You can also change the dispatch tables of the existing ones - even on a live running system (see dispadmin(1M) and ts_dptbl(4)

For some more info on how OpenSolaris does scheduling and how it is integrated into the rest of the resouce management system see this excellent intro to the topic by Eric Saxe.

As you hopefully see from Eric's presentation the scheduler is only a small part of the over all resource management issue and ensuring fairness. OpenSolaris builds on the scheduler by using things like processor pools. I particularly like the Fair Share Scheduler (FSS) class. The Sun Ray server that I use at work (and at home via VPN) uses FSS so that users can't dominate the server cpu resources.

I find it very cool that you can even use different scheduling classes for zones (actually you can do it per process but mixing FSS with TS/IA in a given processor pool isn't recommended). If all that wasn't cool enough all the policy for FSS (and much other projects stuff related to resource management) can be stored in LDAP so it is easy to implement a network wide policy.

Wednesday May 02, 2007

ZFS under GPLv2 already exists - no kidding!

I'm getting really fed up with the constant rantings on all sides about what Sun should to about the license on the ZFS code so that Linux can use it.  Apparently Sun is the bad guy because ZFS is under CDDL and not GPLv2 and we are purposely doing that so Linux does not get ZFS, personally I don't agree but each to their own opinion and licensing is worse than religion in open software development. 

There is already a port to FreeBSD and rumours abound that it is in a future release of MacOS, without the CDDL those might not have happened. 

There is also a port of ZFS to FUSE which means Linux users can use it that way.  Performance won't be great with FUSE but it is probably acceptable.  FUSE is a great tool and I can't wait until the Solaris port is ready - because then Solaris can read Linux ext based filesystems that way!

Now about that headline, yes I really did say that ZFS code is already available under the GPLv2.  I will be completely honest though and make it clear that it isn't all of the ZFS source.  It is, sufficient amount to be able to boot an OpenSolaris based system from GRUB, that means that support for mirroring and the checksum and compression support is there but radiz isn't nor are the userland commands.   It is possible that this might be enough to get someone started.  Still don't believe me check out the updated GRUB source on opensolaris.org, specifically all the files with zfs in their name - every single one of them under the GPLv2 or later.

Update:  While I appreciate some of the comments posted I'm not going to let my blog be a place to post other peoples opinions on CDDL vs GPL.  So I've deleted some comments, if that annoys you because I deleted your comment, tough luck this is my blog and my policy and thats how it is.  Comments are now closed.


Darren Moffat-Oracle


« June 2016