Exercise S.1: Privileges Exercise S.2: Using Rights Profiles Exercise S.3: Qualifying Privileges Exercise S.4: Safe Browsing Exercise S.5: Locking Down Services Exercise S.6: Privilege Debugging
This set of exercises is designed to briefly demonstrate some aspects of the privilege policy in Oracle Solaris:
Privileges are process attributes that are required by the kernel policy to perform specific services. Both the rights of the traditional superuser, as well as those of normal users, have been subdivided into about 80 privileges. By default, user processes are assigned a basic subset of privileges which makes the policy transparent. But the policy can be customized to empower or lockdown applications.
The exercises are just introductions - you are referred to the Oracle Solaris Administration: Security Services for further information. In addition, the following man pages will be useful: privileges(5), ppriv(1), usermod(1M), profiles(1), svccfg(1M), and svcadm(1M).
Passwords:
User:lab Password:oracle1
Role:root Password:oracle2012
Some of the exercises require the root role.
Task: Become familiar with process privileges.
Lab: Use the ppriv command to view a summary of the effects of each privilege.
lab@solaris:~$ ppriv -lv|less
contract_event
Allows a process to request critical events without limitation.
Allows a process to request reliable delivery of all events on
any event queue.
contract_identity
Allows a process to set the service FMRI value of a process
contract template.
contract_observer
Allows a process to observe contract events generated by
contracts created and owned by users other than the process's
effective user ID.
Allows a process to open contract event endpoints belonging to
contracts created and owned by users other than the process's
effective user ID.
...
Lab: Use the ppriv command to view the privileges of your shell.
lab@solaris:~$ ppriv $$
2673: bash
flags = PRIV_PFEXEC
E: basic,!proc_info
I: basic,!proc_info
P: basic,!proc_info
L: all
The letters E, I, P, and L, refer to the four process privilege sets.
The flags field specifies how the policy is applied via exec(2). The PRIV_PFEXEC flag is set by any of the profile shells. Once it is set, it is inherited by child processes and RBAC execution is automatic. Two more flags, PRIV_DEBUG and PRIV_XPOLICY, are shown in Exercise S.6.
Task:Use the profiles command to create a profile and assign it to a user .
Lab:In this exercise, you will use the profiles command to create a profile called Demo Extended Policy,
which restricts the behavior of the visual editor, vi.
Assume the root role and create a new profile interactively:
lab@solaris:~$ su - root@solaris:~# profiles -p "Demo Extended Policy" profiles:Demo Extended Policy> set desc="Demonstrates extended policy" profiles:Demo Extended Policy> add cmd=/usr/bin/vim profiles:Demo Extended Policy:vim> set limitprivs=all,!proc_exec profiles:Demo Extended Policy:vim> end profiles:Demo Extended Policy> exit
This profile removes the privilege proc_exec from the L set when vim (or vi) is executed.
It can be assigned to the lab user via the profiles command or the User Manager GUI.
Using the CLI:
root@solaris:~# usermod -K profiles+="Demo Extended Policy" lab
Using the GUI, from the Oracle Menu, select System->Administration->User Manager. When the User Manager GUI appears, click on the lock icon in the upper right, and select root@solaris. Then enter the root password, to assume the root role. Next double-click on lab, and select Advanced Settings.... Then click Rights Profiles, and double click Demo Extended Policy. Then click the Move Up button until it is first in the Granted Rights list. Finally, click OK twice.
To demonstrate the effect of this profile, start vi as the user lab. Try something like :!date and notice that subshells are disabled.
While vi is running, enter the following command in another Terminal, to view the current privilege sets.
lab@solaris:~$ ppriv -S $(pgrep vi)
2805: vi foo
flags = PRIV_PFEXEC
E: basic,!proc_info
I: basic,!proc_info
P: basic,!proc_info
L: all,!proc_exec
Task: Learn how some privileges can be qualified to apply to specific resources, such as filesystem objects, network ports, or processes.
By default, privileges apply to all relevant objects. However, to prevent privilege escalation, all the zones's privileges are required to override the protection of root-owned objects. The scope of privileges can be qualified via rules, in which privilege sets are associated with specific objects. These rules are expressed by enclosing the qualified privilege sets between curly braces, followed by a colon and the associated object.
Lab: Assign a privilege that only applies to a specifc file and command. The rule is added to the Demo Extended Policy rights profile.
root@solaris:~# profiles -p "Demo Extended Policy"
profiles:Demo Extended Policy> add cmd=/usr/bin/cat
profiles:Demo Extended Policy:cat> set privs={file_dac_read}:/etc/shadow
profiles:Demo Extended Policy:cat> end
profiles:Demo Extended Policy> exit
Now as the user, try it out.
lab@solaris:~$ cat /etc/shadow root:$5$J5/pD0gA$A7f2xZbB7G4yBp83LnrS3P0BhSEOwtbUDQ5olFGY5y0:15481:::::: daemon:NP:6445:::::: bin:NP:6445:::::: sys:NP:6445:::::: ...
Note that the policy only overides the read permission bits for /etc/shadow by the cat command.
Try accessing this file with another command like less or tail.
Task: This exercise demonstrates how an ordinary unprivileged user can use extended policy to restrict the behavior of an application like firefox.
Lab: Start firefox in a sandbox which is only able to read and write
files under $HOME/Downloads and $HOME/Desktop. It can be observed, for example, that
the user's Documents directory is hidden from firefox.
Since a normal unprivileged user cannot modify rights profiles, the profiles command is not used in this exercise.
Instead, the -r option of the ppriv command is used to specify an extended policy rule set. Note that this
exercise assumes that the the lab user has been previously set up as follows:
root@solaris:~# usermod -d /export/home/lab -K defaultpriv=basic,\!proc_info lab
Using the lab account, launch firefox using ppriv.
lab@solaris:~$ ppriv -r "\
{file_read}:/dev/*,\
{file_read}:/etc/*,\
{file_read}:/lib/*,\
{file_read}:/usr/*,\
{file_read}:/var/*,\
{file_read}:/proc,\
{file_read}:/proc/*,\
{file_read}:/system/volatile/*,\
{file_write}:$HOME,\
{file_read}:$HOME/.*,\
{file_read,file_write}:$HOME/.mozill*,\
{file_read,file_write}:$HOME/.gnome*,\
{file_read,file_write}:$HOME/Desktop*,\
{file_read,file_write}:$HOME/Downloa*,\
{file_read,file_write}:/tmp,\
{file_read,file_write}:/tmp/*,\
{file_read,file_write}:/var/tmp,\
{file_read,file_write}:/var/tmp/*,\
{proc_exec}:/usr/*\
" -e /usr/bin/firefox file:///$HOME/Desktop
Like the proc_exec privilege used in Exercise S.2, the privileges file_read and
file_write are basic privileges. When these two privileges are qualified, it is necessary to
grant explicit access to every file that should be read or written. The use of the wildcard character, *, is essential in such policies.
Task: Use a profile to lock down the Apache web server so that it can only bind to port 80, and can only write to files owned by webservd.
Lab: Create a profile called Apache2, which has a locked down extended policy. The apache22 service is then configured to use this rights profile. Note that in this exercise, nothing in the apache22 service ever runs as root.
root@solaris:~# profiles -p "Apache2"
profiles:Apache2> set desc="Apache Web Server Process Attributes"
profiles:Apache2> add cmd=/lib/svc/method/http-apache22
profiles:Apache2:http-apache22> add privs={net_privaddr}:80/tcp
profiles:Apache2:http-apache22> add privs={zone}:/system/volatile/apache2
profiles:Apache2:http-apache22> add privs={zone}:/var/apache2/2.2/logs/*
profiles:Apache2:http-apache22> add privs={zone}:/var/user
profiles:Apache2:http-apache22> add privs={file_write}:/var/user/webserv*
profiles:Apache2:http-apache22> add privs={file_write}:/tmp/*
profiles:Apache2:http-apache22> add privs={file_write}:/system/volatile/apache*
profiles:Apache2:http-apache22> add privs={file_write}:/proc/*
profiles:Apache2:http-apache22> add privs=basic,proc_priocntl
profiles:Apache2:http-apache22> set uid=webservd
profiles:Apache2:http-apache22> set gid=webservd
profiles:Apache2:http-apache22> end
profiles:Apache2> exit
In this case the command is the start method for the apache22 SMF service. You can view and set its properties
via the svccfg command
root@solaris:/usr/lib#svccfg -s apache22 svc:/network/http:Apache2> listprop start/exec start/exec astring "/lib/svc/method/http-apache22 start" svc:/network/http:Apache2> setprop start/profile="Apache2" svc:/network/http:Apache2> setprop start/use_profile=true svc:/network/http:Apache2> refresh svc:/network/http:Apache2> exit
Note that the Apache2 profile will be applied when the service is enabled.
root@solaris:/usr/lib# svcadm enable apache22
You can verify that the apache22 service is working by entering localhost in the firefox URL field.
Task: Learn how to determine which privileges an application requires.
Lab: Use the -D option of the ppriv command.
It is easier to do the analysis if the Apache service is started interactively, using the apachectl script, instead of the SMF method script. Be sure to
disable the apache22 service if it still running.
root@solaris:~# svcadm disable apache22
Now clone the Apache2 profile, by renaming it Apache-debug; select the existing cmd entry and rename it, too.
root@solaris:~# profiles -p "Apache2" profiles:Apache2> set name=Apache-debug profiles:Apache-debug> sel<TAB><TAB> profiles:Apache-debug:http-apache22> set id=/usr/apache2/2.2/bin/apachectl profiles:Apache-debug:apachectl> end profiles:Apache-debug> exit
Next, assign the cloned profile to the webservd account.
root@solaris:~# usermod -K profiles+=Apache-debug webservd
Now switch to the webservd identity:
root@solaris:~# su - webservd webservd@solaris:~$ id uid=80(webservd) gid=80(webservd) webservd@solaris:~$ pfbash webservd@solaris:~$ ppriv -De /usr/apache2/2.2/bin apachectl start
Verify that it is running correctly by examing the privileges of the first http daemon.
root@solaris:/usr/lib# ppriv $(pgrep httpd|head -1)
2958: httpd
flags = PRIV_DEBUG|PRIV_XPOLICY|PRIV_EXEC
5 Extended policies:
6 {net_privaddr}:80/tcp
7 {zone}:/system/volatile/apache2
8 {zone}:/var/apache2/2.2/logs/*
9 {zone}:/var/user
10 {file_write}:/var/user/webserv*
11 {file_write}:/tmp/*
12 {file_write}:/system/volatile/apache*
13 {file_write}:/proc/*
14 E: basic,!file_write,!proc_info,proc_priocntl
15 I: basic,!file_write,!proc_info,proc_priocntl
16 P: basic,!file_write,!proc_info,proc_priocntl
17 L: all
Verify that the extended policies are correct.
That concludes this lab session.