Re: CD writing in future Linux (stirring up a hornets' nest) (was: Rationale for RLIMIT_MEMLOCK?)

From: Joerg Schilling
Date: Tue Jan 24 2006 - 09:37:34 EST

Next message: Eric Dumazet: "[PATCH] [SMP] reduce size of percpudata, and make sure per_cpu(object,not_possible_cpu) cause an invalid memory reference"
Previous message: Ram Gupta: "Re: [RFC] VM: I have a dream..."
In reply to: Bodo Eggert: "Re: CD writing in future Linux (stirring up a hornets' nest) (was: Rationale for RLIMIT_MEMLOCK?)"
Next in thread: Bodo Eggert: "Re: CD writing in future Linux (stirring up a hornets' nest)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Bodo Eggert <harvested.in.lkml@xxxxxxxxxxxxxxxxxx> wrote:

> Joerg Schilling <schilling@xxxxxxxxxxxxxxxxxxx> wrote:
>
> [...]
> > On Solaris, you (currently) use a profile enabled shell (pfsh, pfksh or pfcsh)
> > that calls getexecuser() in order to find whether there is a specific
> > treatment needed. If this specific treatment is needed, then the shell calls
> > execve(/usr/bin/pfexec cmd <args>)
> > else it calls execve(cmd <args>)
> >
> > I did recently voted to require all shells to be profile enabled by default.
>
> Why? I asume there will only be few programs requiring to be run by a
> wrapper, and mv /usr/bin/foo to /usr/pfexec-bin/foo;
> echo $'#!/bin/sh\n/usr/sbin/pfexec /usr/pfexec-bin/foo "$@"' > /usr/bin/foo;
> chmod 755 /usr/bin/foo
> should be easier than patching e.g. all callers of cdrecord, and it won't
> slow down starting non-profiled applications.

Because the architecture review commitee decided this would be the right way.

Note that we are on a migration from the classical root/non-root UNIX to a fine
grained privileges handling. The current documentation says that you need to
have a profile enabled shell as your SHELL in order to be able to use a
root-less Solaris.

> Possibly the pfexec can tell the application to be run by the basename (like
> su1), in this case you'd add something like
> "alias cdrecord /opt/schily/bin/cdrecord" to it's configuration and link it
> to /usr/bin/cdrecord.

But you are right that another way would be to use something like "isaexec"

> > The final priv would allow even vendor specific commands: this is what
> > cdrecord needs.
>
> That sounds reasonable, but I wonder how you can get access to a device
> file descriptor in order to do unprivileged access.

This is something that needs to be discussed. Last night, I found that there
should be a way to run cdrecord without the need to have the "file_dac_read"
provilege. I'll discuss this with the security group.

Jörg

--
EMail:joerg@xxxxxxxxxxxxxxxxxxxxxxxxxxx (home) Jörg Schilling D-13353 Berlin
js@xxxxxxxxxxxxxxx (uni)
schilling@xxxxxxxxxxxxxxxxxxx (work) Blog: http://schily.blogspot.com/
URL: http://cdrecord.berlios.de/old/private/ ftp://ftp.berlios.de/pub/schily
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Eric Dumazet: "[PATCH] [SMP] reduce size of percpudata, and make sure per_cpu(object,not_possible_cpu) cause an invalid memory reference"
Previous message: Ram Gupta: "Re: [RFC] VM: I have a dream..."
In reply to: Bodo Eggert: "Re: CD writing in future Linux (stirring up a hornets' nest) (was: Rationale for RLIMIT_MEMLOCK?)"
Next in thread: Bodo Eggert: "Re: CD writing in future Linux (stirring up a hornets' nest)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]