New privilege added to the 'basic' Least Privilege set
By stw on Oct 15, 2010
With Least Privileges, a non-root process by default has the ability to get process information, create and delete files, fork and exec, and now separately open TCP or UDP end points. The ppriv(1) command prints the list of privileges.
Solaris 10 9/10# ppriv -l basic file_link_any proc_exec proc_fork proc_info proc_session net_accessA verbose listing includes basic descriptions, which are also described in privileges(5).
Solaris 10 9/10# ppriv -lv basic file_link_any Allows a process to create hardlinks to files owned by a uid different from the process' effective uid. proc_exec Allows a process to call execve(). proc_fork Allows a process to call fork1()/forkall()/vfork() proc_info Allows a process to examine the status of processes other than those it can send signals to. Processes which cannot be examined cannot be seen in /proc and appear not to exist. proc_session Allows a process to send signals or trace processes outside its session. net_access Allows a process to open a TCP or UDP network endpoint.With the addition of the net_access privilege, it is now possible to prevent a process from creating sockets and network end points, isolating the process from the network. By default, processes have this privilege, so any action would be to remove it.
To demonstrate this I am using the ppriv command to limit the privilege of a command and see with the debug flag what is happening.
Even as an unprivileged user I can see if a specific IP address is in use with the ping command. So lets see what happens when I don't have the net_access privilege. I am doing this as a basic user.
Solaris 10 9/10$ ppriv -D -s I-net_access -e /usr/sbin/ping 172.16.1.1 ping: missing privilege "net_access" (euid = 1001, syscall = 5) for "devpolicy" needed at spec_open+0xd0 ping: missing privilege "net_access" (euid = 1001, syscall = 5) for "devpolicy" needed at spec_open+0xd0 ping: missing privilege "net_access" (euid = 1001, syscall = 5) for "devpolicy" needed at spec_open+0xd0 /usr/sbin/ping: unknown host 172.16.1.1Since I am forking a process with the -e option, I limit the I (inherited) privilege set with the net_access removed. The debug output shows that its net_access that is missing, and it happens three time.
To see how it would look with the privilege, I run the same command with the basic set inherited.
Solaris 10 9/10$ ppriv -D -s I=basic -e /usr/sbin/ping 172.16.1.1 172.16.1.1 is aliveEverything worked, and no debug output.
Its a good idea to use predefined sets such as basic, so that changes in the set don't affects script in the future.