Wednesday, July 26, 2017

sudo and RBAC, or which privilege to pick

sudo and RBAC, or which privilege to pick

Robert Milkowski's recently posted how to use sudo with Solaris privileges, see Sudo and Solaris Privileges.

milek    ALL=()PRIVS="basic,sys_admin" NOPASSWD:/usr/sbin/fmadm faulty

Solaris 11.3 SRU 21 currently has 87 privileges (see ppriv -l. But why do I need "sys_admin" for fmadm?

Well the fmadm(1M) manpage says so. ;-)

The fmadm utility requires the user to possess the SYS_ADMIN privilege.

But how to check if we don't know which privilege is needed? Let's start with a small non-blackbox example.

$ cat p.c
#include <assert.h>
#include <priv.h>
#include <stdio.h>

int
main(void)
{
    priv_set_t *sp = priv_allocset();
    assert(sp != NULL);

    int ret = getppriv(PRIV_EFFECTIVE, sp);
    assert(ret == 0);

    if (!priv_ismember(sp, PRIV_SYS_ADMIN)) {
        printf("Nope\n");
    }

    priv_freeset(sp);
    return 0;
}

$ cc -m64 -g -Wall p.c

$ apptrace -v priv_ismember ./a.out
-> a.out    -> libc.so.1:boolean_t priv_ismember(const priv_set_t * = 0xffff80ffbf690290, const char * = 0x400cde "sys_admin")
        arg0 = (const priv_set_t *) 0xffff80ffbf690290
        arg1 = (const char *) 0x400cde "sys_admin"
Nope

When we try the same with fmadm faulty there are no priv_ismember calls. But we see a lot of door calls and we recall there's a fault manager daemon running.

$ svcs -p svc:/system/fmd:default
STATE          STIME    FMRI
online         Jul_19   svc:/system/fmd:default
               Jul_19        998 fmd

Let's fire up DTrace to check if there are any priv_ismember calls in /usr/lib/fm/fmd/fmd.

# cat priv.d
#!/usr/sbin/dtrace -Cs

#include <sys/priv_const.h>

#pragma D option quiet

pid$target::priv_ismember:entry
{
    trace(stringof(copyinstr(arg1)));
}

# ./priv.d -p 998

$ fmadm faulty
fmadm: failed to get case list from fmd: operation requires additional privilege

# ./priv.d -p 998
sys_admin

And there's our priv_ismember call checking for the "PRIV_SYS_ADMIN" privilege.

Links

  • privileges(5)
  • apptrace(1)

No comments:

Post a Comment

389 Directory Server 1.3.x LDAP client authentication

389 Directory Server 1.3.x LDAP client authentication Last time we did a multi-master replication setup, see 389 Directory Server 1.3.x Repl...