[ilb-dev] privileges for ilbd daemon

Fri, 23 Jan 2009 13:49:58 -0800 

Gary,

Recall that we had presented the following  proposal for ILB at PSARC 
Inception ( PSARC case 2008/575)

9.1 IPC details and privileges for ilbd daemon

       We will use AF_UNIX socket (socket type of SOCK_SEQPACKET) 
       for IPC between libilb and ilbd as both processes will run on the same
       machine.  A subset of ilbadm commands will require privileges
       (specifically the configuration commands) while others (the statistics
       and configuration display commands) would not. The /var/run directory
       will hold the AF_UNIX rendevous files. We propose that the project
       implement "ilbadm" uid. The ilbd  daemon will be run by the "ilbadm"
       user with PRIV_SYS_IP_CONFIG privilege and will use ioctls to
       communicate with the kernel. The kernel should check the ioctl
       credential to make sure its PRIV_SYS_IP_CONFIG before servicing it.
       Since the persistent config files can only be modified by the
       daemon, the files will be owned by user "ilbadm" and  will belong
       in /etc/ilbadm directory. The ILB project will audit administration
       using the auditing interfaces that are defined by PSARC 2000/517 

PSARC raised concerns against having project specific uids and we decided to 
look into using "root" with dropped privileges(see thread:)

http://www.opensolaris.org/jive/thread.jspa;jsessionid=0BFC62EAB570E13DC0C4F22BAE53C72A?messageID=313830&#313830

Assuming we go with the "root" with dropped privileges approach, please 
provide us guidance for the specific issues:

o  where would you recommend that the persistent config files belong. 
Would having them in  /etc/ilbadm directory still be appropriate.?

o You had also advised us that in order to keep things simple we should 
run *all* the health checks that ILB provides with a set of privileges 
and document that by default the user-supplied health checks will also 
run with the same exact set of privileges. If the admin has some 
user-supplied scripts that require a larger priv set he/she will have to 
run it with setuid explicitly ( I assume that would be root with just 
the essential privileges) . I assume this advise would still stand?

Reply via email to