Java Solaris Communities About Sun How to Buy My Sun Connection Cart United States Worldwide

BigAdmin System Administration Portal
Community-Submitted Tech Tip
Print-friendly VersionPrint-friendly Version
This content is submitted by a BigAdmin user. It has not been reviewed for technical accuracy by Sun Microsystems, though it may have been lightly edited to improve readability. If you find an error or would like to comment on the article, please contact the submitter or use the comment field at the bottom of the article. Community submissions may not follow Sun trademark guidelines. For information on Sun trademarks, please see http://www.sun.com/suntrademarks/.
 
 

Using Process Rights Management in the Solaris 10 OS to Run setuid Binaries

Steven Sim, October 2006


Introduction

This Tech Tip explores using Process Rights Management (PRM) in the Solaris 10 OS, and how PRM enables us to execute setuid and setgid commands without the setuid or setgid flags.


Objective

PRM in the Solaris 10 OS allows us to remove setuid/setgid flags from executables that would normally have them set, while also allowing a selected set of non-privileged users to execute them.

In the Solaris 10 OS, although most of the "normal" setuid/setgid executables have been re-written to be privilege aware (PA), they still have their setuid/setgid flags set. This is necessary for the program to first gain the appropriate root privilege and then drop the unnecessary ones. However, this would require the program to be fully privilege aware and some setuid/setgid programs out there might not have been ported as yet.

This Tech Tip suggests a method to remove the setuid/setgid flag, while allowing a selected non-root user to execute the program appropriately.


Example Using ping

A good example of a setuid binary would be the ping program.

$ ls -al /usr/sbin/ping
-r-sr-xr-x   1 root     bin        45016 Apr 26  2005 /usr/sbin/ping

Now rewritten to be PA, the ping program drops unnecessary root privileges immediately upon startup:

root@solaris # ppriv -v 1325
1325:   ping -s 192.168.0.1
flags = PRIV_AWARE
        E: file_link_any,proc_exec,proc_fork,proc_info,proc_session
        I: file_link_any,proc_exec,proc_fork,proc_info,proc_session
        P: file_link_any,proc_exec,proc_fork,proc_info,proc_session
        L: none

Let's say we now remove the setuid flag from /usr/sbin/ping:

root@solaris # ls -al /usr/sbin/ping
-r-xr-xr-x   1 root     bin        45016 Apr 26  2005 /usr/sbin/ping

Subsequently, a normal non-root user would no longer be able to properly execute ping:

$ ping -s 192.168.0.1  
ping: socket Permission denied

Why ping Failed

ping failed because it is now missing the net_icmpaccess privilege. To illustrate this, we run ping with the Solaris 10 OS privilege inspection and debugging feature (using ppriv):

$ ppriv -e -D ping -s 192.168.0.1  
ping[1391]: missing privilege "net_icmpaccess" (euid = 100, syscall = 230) for 
"devpolicy" needed at so_socket+0x9d
ping: socket Permission denied

The above occurs because the setuid flag has been removed from ping.

Let's look at the privilege of the parent user shell executing the ping command:

root@solaris # ppriv -v 955
955:    -ksh
flags = <none>
        E: file_link_any,proc_exec,proc_fork,proc_info,proc_session
        I: file_link_any,proc_exec,proc_fork,proc_info,proc_session
        P: file_link_any,proc_exec,proc_fork,proc_info,proc_session
        L: contract_event,contract_observer,cpc_cpu,dtrace_kernel,dtrace_proc,
dtrace_user,file_chown,file_chown_self,file_dac_execute,file_dac_read,
file_dac_search,file_dac_write,file_link_any,file_owner,file_setid,ipc_dac_read,
ipc_dac_write,ipc_owner,net_icmpaccess,net_privaddr,
net_rawaccess,proc_audit,proc_chroot,proc_clock_highres,proc_exec,proc_fork,
proc_info,proc_lock_memory,proc_owner,proc_priocntl,proc_session,proc_setid,
proc_taskid,proc_zone,sys_acct,sys_admin,sys_audit,sys_config,sys_devices,
sys_ipc_config,sys_linkdir,sys_mount,sys_net_config,sys_nfs,sys_res_config,
sys_resource,sys_suser_compat,sys_time

This clearly is missing the net_icmpaccess privilege from its E, I, and P privilege set.


The Parent Shell Privileges

Let's assign the net_icmpaccess privilege to the parent shell process (pid 955):

#ppriv -s PEI-net_icmpaccess 955

Once again, let's look at the shell privileges:

root@solaris # ppriv -v 955                   
955:    -ksh
flags = <none>
        E: file_link_any,net_icmpaccess,proc_exec,proc_fork,proc_info,proc_session
        I: file_link_any,net_icmpaccess,proc_exec,proc_fork,proc_info,proc_session
        P: file_link_any,net_icmpaccess,proc_exec,proc_fork,proc_info,proc_session
        L: contract_event,contract_observer,cpc_cpu,dtrace_kernel,dtrace_proc,
dtrace_user,file_chown,file_chown_self,file_dac_execute,file_dac_read,
file_dac_search,file_dac_write,file_link_any,file_owner,file_setid,ipc_dac_read,
ipc_dac_write,ipc_owner,net_icmpaccess,net_privaddr,
net_rawaccess,proc_audit,proc_chroot,proc_clock_highres,proc_exec,proc_fork,
proc_info,proc_lock_memory,proc_owner,proc_priocntl,proc_session,proc_setid,
proc_taskid,proc_zone,sys_acct,sys_admin,sys_audit,sys_config,sys_devices,
sys_ipc_config,sys_linkdir,sys_mount,sys_net_config,sys_nfs,sys_res_config,
sys_resource,sys_suser_compat,sys_time

We now try a ping as a non-root user from shell process 955:

$ ping -s 192.168.0.1
PING 192.168.0.1: 56 data bytes
64 bytes from silence.mshome.net (192.168.0.1): icmp_seq=0. time=0.313 ms
64 bytes from silence.mshome.net (192.168.0.1): icmp_seq=1. time=0.607 ms
64 bytes from silence.mshome.net (192.168.0.1): icmp_seq=2. time=0.566 ms

Success!


Automatic Assignment

But how do we assign individual shells the necessary privileges? Do we have to assign them every time the user logs in or requires them?

Well, one way is to add the following user entry to /etc/user_attr, like so:

johndoe::::defaultpriv=basic,net_icmpaccess

The above would automatically provide user johndoe (a non-root privilege user) the appropriate privileges to run ping without requiring that ping have the setuid/setgid flag set on its executable binary.

The above example illustrates a method to allow us to clear setuid/setgid flags from non-PA executables, which would normally require them.


Flaw

There is a flaw in using /etc/user_attr to set the default privilege, of course: All the processes of user admin would now also have net_icmpaccess, even though they might not require this particular privilege.

 

The information and links on this page have been provided by a BigAdmin user. The submitter is solely responsible for such information and links. Sun is not responsible for the availability of external sites or resources, and does not endorse and is not responsible or liable for any content, advertising, products, or other materials on or available from such sites or resources. Sun will not be responsible or liable, directly or indirectly, for any actual or alleged damage or loss caused by or in connection with use of or reliance on the information posted here, or goods or services available on or through any external site or resource.

Unless otherwise licensed, code in all technical manuals herein (including articles, FAQs, samples) is provided under this License.


Rate and Review
Tell us what you think of the content of this page.
Excellent   Good   Fair   Poor  
Comments:
Your email address (no reply is possible without an address):
Sun Privacy Policy

Note: We are not able to respond to all submitted comments.
 BigAdmin
  
»  Search the HCL
 
BigAdmin Subscriptions
»   BigAdmin Newsletter
»   BigAdmin Blog
»   BigAdmin Wiki
»   RSS Feeds
BigAdmin Areas
»   All Topics/Sections
»   Articles and FAQs
»   Blogs and Wikis
»   Discussions
»   Documentation
»   Features
»   HCL
»   Multilingual
»   Patches
»   Products and Tech
»   Resources
»   Scripts
»   Solaris 10 Apps
»   ShellCmds
»   Submit Content
»   Suggestions
»   SysAdmin Topics
»   Tech Tips
BigAdmin Sun Center
»   Register Your System
»   Sun Support
»  Sun Doc Highlights
»  Sun Tech Days
»   Sun Advisory Panel for System Admins
»   Training and Certification
BigAdmin Topics
»   DST
»   DTrace
»   Interoperability
»   Networking
»   Predictive Self-Healing
»   ZFS
»  Zones
 
 
Would you recommend this Sun site to a friend or colleague?
Contact About Sun News & Events Employment Site Map Privacy Terms of Use Trademarks Copyright Sun Microsystems, Inc.