Re: (mis)using RBAC...Apr 15 2005 03:51PM Glenn M. Brunette, Jr. (Glenn Brunette Sun COM)
Benjamin,
benjamin brumaire wrote:
>
> On Solaris10 you should try to give the http daemon the privilege to
> open privileged port "PRIV_NET_PRIVADDR" so it doens't need to be start
> as root :)
This is exactly the focus of the article to be published next month.
There are a few things you need to do besides just changing the UID
and privilege sets for this to work which is why I wrote it up as
a Sun BluePrints Cookbook. In addition, you can also remove some
of the default (basic) privileges from the service since Apache will
not need them. As a teaser, what you will be left with is something
like:
Benjamin,
benjamin brumaire wrote:
>
> On Solaris10 you should try to give the http daemon the privilege to
> open privileged port "PRIV_NET_PRIVADDR" so it doens't need to be start
> as root :)
This is exactly the focus of the article to be published next month.
There are a few things you need to do besides just changing the UID
and privilege sets for this to work which is why I wrote it up as
a Sun BluePrints Cookbook. In addition, you can also remove some
of the default (basic) privileges from the service since Apache will
not need them. As a teaser, what you will be left with is something
like:
# svcprop -v -p start apache2
start/exec astring /lib/svc/method/http-apache2\ start
start/timeout_seconds count 60
start/type astring method
start/user astring webservd
start/group astring webservd
start/privileges astring
basic,!proc_session,!proc_info,!file_link_any,net_privaddr
start/limit_privileges astring :default
start/use_profile boolean false
start/supp_groups astring :default
start/working_directory astring :default
start/project astring :default
start/resource_pool astring :default
I will make a note on my blog when the new article is published.
Take care,
g
--
Glenn M. Brunette, Jr.
Distinguished Engineer, Chief Security Architect
Client Solutions, Global Data Center Practice CTO
Sun Microsystems, Inc.
[ reply ]