Wednesday Jun 23, 2010
Tuesday May 25, 2010
By Brian Leonard on May 25, 2010
Of all the components of Solaris' Role Based Access Control (RBAC), roles are the easiest the implement. When I explain the concept of roles to people, they immediately get it.
OpenSolaris comes with a couple of roles pre-configured, most notably root.
This has led to some frustration for newcomers to OpenSolaris as they
don't understand why they can't log into their system as root.
But, as there is most likely no person in your organization named 'root', why do you wnat a user account on your system for a person that doesn't exist? Who is this root user and who's accountable for what they do on the system? Over time the password for the root user account always seems to proliferate. The principle of least privilege, another RBAC concept that I'm not addressing here, is meant to limit the need to hand out root access, but even in the absence of that, wouldn't it be nice to know who's doing what as root on your system?[Read More]
Tuesday May 11, 2010
By Brian Leonard on May 11, 2010
I noticed my Apache web server had one process that ran as root, which then forked other processes as user webservd. The reason for this is that apache wants access to port 80, which traditionally requires root privileges. To improve upon this all-or-nothing security model, Solaris 10 introduced the concept of fine-grained privileges, and in OpenSolaris there are now 75 of them.
What this means is that I can now give a process, which has
traditionally run with root privileges, just the privileges it needs to
get its job done - a concept known as least privilege. The trick, of course, is figuring out which privileges a process needs.
Tuesday Jun 16, 2009
By Brian Leonard on Jun 16, 2009
Today I came across 3 short screencasts by Christoph Schuba on various security related features in OpenSolaris:
Christoph's a senior engineer on the Solaris security team and a frequent presenter on the topic of OpenSolaris security at conferences. Each screencast is under 5 minutes. Enjoy.
Friday Dec 05, 2008
Sunday Sep 21, 2008
By Gregg Sporar on Sep 21, 2008
I recently got a comment on a blog entry I did a while back that explains setting up a multiboot system. The comment was from Peter Jones and he was having trouble editing the menu.lst file. He had apparently overlooked the exact syntax that I had specified:
pfexec gedit /rpool/boot/grub/menu.lst
From the content of the comment, it appears the problem was that he did not specify pfexec, so he was unable to save changes to the file.
That got me to thinking about how frequently in these blog entries we use pfexec, and we have never posted a detailed explanation of what it does and why it works. So I made a note to write a blog entry on that topic.
I was about to write it up when I noticed that Joerg Moellenkamp has recently published a blog entry that pretty much says exactly what I was going to write; check it out at Less known Solaris features: pfexec. In particular, make note of the part at the end where he describes how by default, the userid you create during installation of OpenSolaris 2008.05 has the all-powerful Primary Administrator rights profile assigned to it.
The Observatory is a blog for users of Oracle Solaris. Tune in here for tips, tricks and more as we explore the Solaris operating system from Oracle.
- AI Manifest Editor CLI in Solaris 11.3
- Virtual Address Reservation in Solaris 11.3
- APIs for handling per-thread signals in Solaris
- PV IPoIB in Kernel Zones in Solaris 11.3
- Named threads in Oracle Solaris 11.3
- Better performing pthread reader-writer locks for NUMA architectures
- New Security Extensions in Oracle Solaris 11.3
- OpenSSL on Oracle Solaris 11.3
- Changes to ZFS ARC Memory Allocation in 11.3
- Multi-CPU Binding (MCB)