Learning Solaris 10 Check out the Zones F.A.Q. !

Google


Lab : the user_attr database  

Posted on March 8th, 2005. About Uncategorized.
Sale Celexa Natural Prednisone Shipping Where To Get Ultram Comparison Female Viagra Testimonials Where To Get Aldactone NoRX Natural Elimite Get High Natural Hoodia High Doses Generic Cytotec Annapolis Where Order Antabuse Comparison Tramadol Weight Nolvadex Shipping Where Order Accutane Equivalent Online Nolvadex Price For Zelnorm Weight Natural Phentrimine NoRX Doxycycline Equivalent Generic Ultram Get High Where Order Female Viagra Comparison Buy Flomax BatonRouge Price For Zelnorm Germany Purchase Toprol XL OklahomaCity Purchase Accutane Concord Price For Inderal Proper Dosage Generic Aldactone Boise Where To Get Avapro Prescription Antabuse Antabuse Effects Where Order Accutane For Add Price For Zithromax Cheapest Pills Where Order Lotrisone Age Norvasc Faq Purchase Elimite Topeka Where To Get VPXL Swaziland Where Order Cipro Proper Dosage Generic Lasix Tablets Inderal RX Cymbalta Faq Where To Get Celexa Germany Topamax Prescription Price For Zithromax Weight Elimite Tablets Purchase Norvasc OklahomaCity Price For Aldactone Get High Nizoral Testimonials Purchase Aricept BatonRouge Elavil Delivery Lasix With Visa Herbal Penisole High Doses Where Order Doxycycline United Kingdom Purchase Phentrimine Boise

Authentication Lab : Playing with user_attr database
=======================================

Note : please send comments or errors to nieuwenj@learningsolaris.com
Last Edited : 16/02/2005

This paper is meant to illustrate the new possibilities of the /etc/user_attr database. Up to Solaris 9, the database could be used to assign RBAC profiles, roles and authorizations to users as well as a default project.
3 new parameters are introduced in Solaris 10.

1. lock_after_retries

This parameter enables a new functionality : locking a certain account
after a number of incorrect logins. That number is customizable
(between 5 and 15) in the /etc/default/login file. Look for the
“RETRIES” parameter, default = 5.

Check it out by enabling it using the following command for user toto:

#usermod -K lock_after_retries=yes toto


#grep toto /etc/user_attr


Then telnet to your machine and try to login as toto. After entering a
wrong password 5 times, look into the /etc/shadow file for toto’s entry.

2. defaultpriv

*** This parameter should be used with CAUTION ***

Solaris 10 is evolving from the Super user model, where Processes
running with uid 0 have all the power, to a privilege model, where
these powers are split into a number of privileges.

By default, each user process is given 5 privileges in their 3
privilege sets. These 5 privileges make up the ‘basic’ privileges that
they need to be able to work in Solaris 10 in a backwards compatible
way.

The new “defaultpriv” parameter of the user DB allows for the
modification of this list of privileges. The following exercise will
add a privilege to toto’s list.

———————————————————————
root# id toto
uid=200(toto) gid=10(staff)

root# grep toto /etc/user_attr
root#
root# usermod -K
defaultpriv=basic,file_dac_read toto


root# grep toto /etc/user_attr
toto::::type=normal;defaultpriv=basic,file_dac_read

root# su - toto
Sun Microsystems Inc. SunOS 5.10 s10_72 December 2004
bash$
bash$ id
uid=200(toto) gid=10(staff)
bash$
bash$
bash$ ppriv $$
2958: -bash
flags = <none>
E: basic,file_dac_read
I: basic,file_dac_read
P: basic,file_dac_read
L: all
bash$
bash$ cat /etc/shadow
root:Sor1DEonjakKA:6445::::::
daemon:NP:6445::::::
bin:NP:6445::::::
sys:NP:6445::::::
adm:NP:6445::::::
lp:NP:6445::::::
uucp:NP:6445::::::
nuucp:NP:6445::::::
smmsp:NP:6445::::::
listen:*LK*:::::::
gdm:*LK*:::::::
webservd:*LK*:::::::
nobody:*LK*:6445::::::
noaccess:*LK*:6445::::::
nobody4:*LK*:6445::::::
student:$md5$5zHpVXAV$$pOqcRalnWY5/U/hT.Y5G6/:12802::::::
bob:*LK*:::::::
mike:*LK*:::::::
toto:$md5$u6yGK2A0$$thGq1TAYfM5bf3gC.xcUC1:12803::::::

bash$ logout
root#
———————————————————————

The following exercise is similar but insists on the risk brought by
this technique. We would like to have ‘toto’ be able to use the “snoop”
command. We know about RBAC but we have heard that privileges increase
the security by actually never letting ‘toto’ create root processes.

———————————————————————

root# usermod -K
defaultpriv=basic,net_rawaccess toto
root#
root# su - toto
Sun Microsystems Inc. SunOS 5.10 s10_72 December 2004
bash$
bash$
bash$ ppriv $$
2988: -bash
flags = <none>
E: basic,net_rawaccess
I: basic,net_rawaccess
P: basic,net_rawaccess
L: all
bash$
bash$
bash$ /usr/sbin/snoop
Using device /dev/eri (promiscuous mode)
10.45.14.100 -> ws-1444 TCP D=22 S=1006 Ack=2280778843
Seq=3015574233 Len=0 Win=49640
10.45.254.253 -> (broadcast) ARP C Who is 10.45.100.38, 10.45.100.38

———————————————————————

Perfect. It ws easy. But…

———————————————————————
root# su - toto
Sun Microsystems Inc. SunOS 5.10 s10_72 December 2004
bash$
bash$
bash$
bash$ echo ‘a’
bash$ echo ‘a’ > /dev/ip
bash$
bash$ logout
root#
root# su - mike
Sun Microsystems Inc. SunOS 5.10 s10_72 December 2004
bash$
bash$ echo ‘a’ > /dev/ip
-bash: /dev/ip: Permission denied
———————————————————————

Trussing on the echo command used by Mike, we see :

———————————————————————
3443: open(”/dev/ip”, O_RDWR) Err#13 EACCES [net_rawaccess]
———————————————————————

Conclusion : don’t add privileges to users unless you are completely
aware of all the areas of the kernel where the specific privilege is
used. In this example, the ‘net_rawaccess’ does allow toto to use
snoop, which was the goal, but it also allows him to have access to
/dev/ip, which is probably much more dangerous than using RBAC to let
him run “snoop” !

NB : Contrib Peter Van Gemert. Thanks !

3. limitpriv

*** This parameter should be used with CAUTION ***

This new parameter allows the limit privilege set to be reduced for a
specific user. We will use it to illustrate the meaning of this forth
privilege set.

Limit is the upper limit of privilege a process and its off-spring can
ever obtain. It is used for instance to restrict the power of the super
user in non-global zones.

The following exercise will configure the user ‘toto’ to be part of the
“Network Management” profile of the RBAC database. This is enough to
allow him to use snoop as if he were the super user.

———————————————————————
root# usermod -P ‘Network
Management,All’ toto
root# grep ‘Network Management’
/etc/security/exec_attr | grep
snoop
Network Management:suser:cmd:::/usr/sbin/snoop:uid=0
root#
root# profiles toto
Network Management
Basic Solaris User
All
root# su - toto
Sun Microsystems Inc. SunOS 5.10 s10_72 December 2004
bash$
bash$ pfexec /usr/sbin/snoop
10.45.14.100 -> ws-1444 TCP D=22 S=1006 Ack=2280778843
Seq=3015574233 Len=0 Win=49640
10.45.254.253 -> (broadcast) ARP C Who is 10.45.100.38, 10.45.100.38

———————————————————————

That was expected. What happens if we modify toto’s Limit privilege set
so that it doesn’t include the ‘net_rawaccess’ privilege ?

———————————————————————
root# usermod -K
‘limitpriv=basic,contract_event,contract_observer,cpc_cpu,dtrace_kernel,dtrace_proc,
dtrace_user,file_chown,file_chown_self,file_dac_execute,file_dac_read,file_dac_search,
file_dac_write,file_owner,file_setid,ipc_dac_read,ipc_dac_write,ipc_owner,net_icmpaccess,
net_privaddr,proc_audit,proc_chroot,proc_clock_highres,proc_lock_memory,proc_owner,
proc_priocntl,proc_setid,proc_taskid,proc_zone,sys_acct,sys_admin,sys_audit,sys_config,
sys_devices,sys_ipc_config,sys_linkdir,sys_mount,sys_net_config,sys_nfs,sys_res_config,
sys_resource,sys_suser_compat,sys_time’ toto

root#
root# su - toto
Sun Microsystems Inc. SunOS 5.10 s10_72 December 2004

bash$ ppriv -v $$
3566: -bash
flags = <none>
E:
file_dac_read,file_link_any,proc_exec,proc_fork,proc_info,proc_session
I:
file_dac_read,file_link_any,proc_exec,proc_fork,proc_info,proc_session
P:
file_dac_read,file_link_any,proc_exec,proc_fork,proc_info,proc_session
L:
contract_event,contract_observer,cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,file_chown,file_chown_self,
file_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_link_any,file_owner,file_setid,ipc_dac_read,
ipc_dac_write,ipc_owner,net_icmpaccess,net_privaddr,proc_audit,proc_chroot,proc_clock_highres,proc_exec,
proc_fork,proc_info,proc_lock_memory,proc_owner,proc_priocntl,proc_session,proc_setid,proc_taskid,
proc_zone,sys_acct,sys_admin,sys_audit,sys_config,sys_devices,sys_ipc_config,sys_linkdir,sys_mount,
sys_net_config,sys_nfs,sys_res_config,sys_resource,sys_suser_compat,sys_time

bash$ /usr/sbin/snoop
snoop: /dev/eri: Permission denied
———————————————————————

So eventhough the user ‘toto’ is using the RBAC framework to “su” to
user “root” before executing the snoop command, the “snoop” process is
an off-spring of the original toto’s shell and as such, it has the same
Limit privilege set, the one that excludes the “net_rawaccess”
privilege, which prevents him from running “snoop”.

Privileges (kernel) are stronger than RBAC (userland)!

Conclusion : Excerpt of the man page of the user_attr DB :

———————————————————————
limitpriv

The maximum set of privileges a user or any process started by the
user, whether through su(1M) or any other means, can obtain. The system
administrator must take extreme care when removing privileges from the
limit set. Removing any basic privilege has the ability of crippling
all applications; removing any other privilege can cause many or all
applications requiring privileges to malfunction.
———————————————————————


Learning Solaris 10 is powered by WordPress 1.5.2 and delivered to you in 0.575 seconds.
Design by Matthew & modified by JC.