New privilege added to the 'basic' Least Privilege set

Oracle Solaris 10 9/10 (update 9) has added another privilege to the basic set of privileges, the set that all unprivileged (non-root) users have by default.

With Least Privileges, a non-root process by default has the ability to get process information, create and delete files, fork and exec, and now separately open TCP or UDP end points. The ppriv(1) command prints the list of privileges.

Solaris 10 9/10# ppriv -l basic
file_link_any
proc_exec
proc_fork
proc_info
proc_session
net_access
A verbose listing includes basic descriptions, which are also described in privileges(5).

Solaris 10 9/10# ppriv -lv basic
file_link_any
       Allows a process to create hardlinks to files owned by a uid
       different from the process' effective uid.
proc_exec
       Allows a process to call execve().
proc_fork
       Allows a process to call fork1()/forkall()/vfork()
proc_info
       Allows a process to examine the status of processes other
       than those it can send signals to.  Processes which cannot
       be examined cannot be seen in /proc and appear not to exist.
proc_session
       Allows a process to send signals or trace processes outside its
       session.
net_access
       Allows a process to open a TCP or UDP network endpoint.
With the addition of the net_access privilege, it is now possible to prevent a process from creating sockets and network end points, isolating the process from the network. By default, processes have this privilege, so any action would be to remove it.

To demonstrate this I am using the ppriv command to limit the privilege of a command and see with the debug flag what is happening.

Even as an unprivileged user I can see if a specific IP address is in use with the ping command. So lets see what happens when I don't have the net_access privilege. I am doing this as a basic user.

Solaris 10 9/10$ ppriv -D -s I-net_access -e /usr/sbin/ping 172.16.1.1
ping[14942]: missing privilege "net_access" (euid = 1001, syscall = 5) 
   for "devpolicy" needed at spec_open+0xd0
ping[14942]: missing privilege "net_access" (euid = 1001, syscall = 5) 
   for "devpolicy" needed at spec_open+0xd0
ping[14942]: missing privilege "net_access" (euid = 1001, syscall = 5) 
   for "devpolicy" needed at spec_open+0xd0
/usr/sbin/ping: unknown host 172.16.1.1
Since I am forking a process with the -e option, I limit the I (inherited) privilege set with the net_access removed. The debug output shows that its net_access that is missing, and it happens three time.

To see how it would look with the privilege, I run the same command with the basic set inherited.

Solaris 10 9/10$ ppriv -D -s I=basic -e /usr/sbin/ping 172.16.1.1
172.16.1.1 is alive 
Everything worked, and no debug output.

Its a good idea to use predefined sets such as basic, so that changes in the set don't affects script in the future.

Steffen

Comments:

Although I am not a Unix geek, I am a Windows security professional and Group Policy MVP. I love when solutions like this are developed and advanced, thank goodness Unix gets this right! For Windows and SQL, you need a solution that gives you some level of least privilege. Without a tool like PowerBroker for Desktops by BeyondTrust (www.beyondtrust.com), you are going to not be able to provide least privilege to your developers and DBAs. PowerBroker for desktops has solved least privilege for some of the largest developer shops in the USA and around the world. It can solve your least privilege issues for Windows too!

Posted by Derek Melber, MVP, MCSE on November 29, 2010 at 04:28 AM EST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

stw

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today