Thursday Jun 23, 2011

Giving a Zone "More Power"

In addition to the traditional virtualization benefits that Solaris zones offer, applications running in zones are also running in a more secure environment. One way to quantify this is compare the privileges available to the global zone with those of a local zone.

For example, there a 82 distinct privileges available to the global zone:

bleonard@solaris:~$ ppriv -l | wc -l 
82

You can view the descriptions for each of those privileges as follows:

bleonard@solaris:~$ ppriv -lv
contract_event
	Allows a process to request critical events without limitation.
	Allows a process to request reliable delivery of all events on
	any event queue.
contract_identity
	Allows a process to set the service FMRI value of a process
	contract template.
...

Or for just one or more privileges:

bleonard@solaris:~$ ppriv -lv file_dac_read file_dac_write
file_dac_read
	Allows a process to read a file or directory whose permission
	bits or ACL do not allow the process read permission.
file_dac_write
	Allows a process to write a file or directory whose permission
	bits or ACL do not allow the process write permission.
	In order to write files owned by uid 0 in the absence of an
	effective uid of 0 ALL privileges are required.

However, in a non-global zone, only 43 of the 83 privileges are available by default:

root@myzone:~# ppriv -l zone | wc -l      
43

The missing privileges are:

cpc_cpu
dtrace_kernel
dtrace_proc
dtrace_user
file_downgrade_sl
file_flag_set
file_upgrade_sl
graphics_access
graphics_map
net_mac_implicit
proc_clock_highres
proc_priocntl
proc_zone
sys_config
sys_devices
sys_ipc_config
sys_linkdir
sys_dl_config
sys_net_config
sys_res_bind
sys_res_config
sys_smb
sys_suser_compat
sys_time
sys_trans_label
virt_manage
win_colormap
win_config
win_dac_read
win_dac_write
win_devices
win_dga
win_downgrade_sl
win_fontpath
win_mac_read
win_mac_write
win_selection
win_upgrade_sl
xvm_control

However, just like Tim Taylor, it is possible to give your zones more power. For example, a zone by default doesn't have the privileges to support DTrace:

root@myzone:~# dtrace -l
   ID   PROVIDER            MODULE                          FUNCTION NAME

The DTrace privileges can be added, however, as follows:

bleonard@solaris:~$ sudo zonecfg -z myzone
Password:
zonecfg:myzone> set limitpriv="default,dtrace_proc,dtrace_user"
zonecfg:myzone> verify
zonecfg:myzone> exit
bleonard@solaris:~$ sudo zoneadm -z myzone reboot

Now I can run DTrace from within the zone:

root@myzone:~# dtrace -l | more
   ID   PROVIDER            MODULE                          FUNCTION NAME
    1     dtrace                                                     BEGIN
    2     dtrace                                                     END
    3     dtrace                                                     ERROR
 7115    syscall                                               nosys entry
 7116    syscall                                               nosys return
...

Note, certain privileges are never allowed to be assigned to a zone. You'll be notified on boot if you attempt to assign a prohibited privilege to a zone:

bleonard@solaris:~$ sudo zoneadm -z myzone reboot
privilege "dtrace_kernel" is not permitted within the zone's privilege set
zoneadm: zone myzone failed to verify

Here's a nice listing of all the privileges and their zone status (default, optional, prohibited): Privileges in a Non-Global Zone.

Tuesday May 11, 2010

Locking Down Apache

I noticed my Apache web server had one process that ran as root, which then forked other processes as user webservd.  The reason for this is that apache wants access to port 80, which traditionally requires root privileges. To improve upon this all-or-nothing security model, Solaris 10 introduced the concept of fine-grained privileges, and in OpenSolaris there are now 75 of them.

What this means is that I can now give a process, which has traditionally run with root privileges, just the privileges it needs to get its job done - a concept known as least privilege. The trick, of course, is figuring out which privileges a process needs.

[Read More]
About

The Observatory is a blog for users of Oracle Solaris. Tune in here for tips, tricks and more as we explore the Solaris operating system from Oracle.

Connect with Oracle Solaris:


Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
20
21
22
23
24
25
26
27
28
29
30
   
       
Today