Mayuresh Nirhali writes: > >> Are there any setuid/setgid privileged binaries in the project? > >> [X] Yes - ARC review required > >> [ ] No - continue with next section (section 3.4.3) > >> > > > > The previous response said that there weren't any setuid or setgid > > binaries. I'm confused. > > > > If you deliver RBAC bits (such as exec_attr) and/or an SMF manifest, > > then the binary itself often isn't setuid. > > > > > Sorry for the confusion here, the previous response was incorrect as I > mentioned in my earlier mail. > Dante makes a lot of seteuid/geteuid calls.
OK; it sounds like the template may need a little work. The question being asked here has nothing to do with whether your code calls any of the setuid(2) functions. It has to do with whether bits 04000 or 02000 are set on any of the binary files that are delivered. It's asking about the use of the traditional UNIX SUID/SGID bits because those are things that allow privilege escalation and that do *not* go through RBAC. > My understanding is that, Call to seteuid/geteuid allows all the users > to run such binary (ofcourse if the 's' bit is set). and We are using > roles (RBAC) to prevent non-privileged users to run dante server. Using > roles (RBAC) here means that the seteuid/geteuid calls are really not > needed. please correct me if I am wrong. I don't think I follow. Ordinarily, I would expect that the Dante server would run with Least Privilege specified through the SMF manifest. It would not need to have any of the SUID/SGID bits in the file system to be set nor would the daemon itself need an RBAC entry, because SMF 'startd' would set the privileges and UID/GID as necessary for normal operation. I would also expect that if Dante is started by SMF as UID root (for some reason; that reason might need to be documented), then it may well have some code that later does a seteuid call to switch to some "safer" UID. I might also expect that if it has to read user files, it might use seteuid() along with privileges in order to do that. Neither of those, though, sound like the architectural issues that this question addresses. None of that has much to do with RBAC. I find it hard to imagine what Dante might do with RBAC, other than _maybe_ having new authorizations defined for the SMF controls, if that's even needed. If you have not yet done so, I suggest working off-line with one of the RBAC experts (Darren Moffat, Gary Winiger) to make sure those bits are right. > > I thought it was possible to include user names and passwords in the > > configuration files, if you configure without PAM. > > > Dante checks for SOCKS_USERNAME & SOCKS_PASSWORD variables in the > environment. It does not look at the config files. am I missing anything > here ? No; you're not. I misunderstood how sockd.conf 'user' worked. -- James Carlson, Solaris Networking <james.d.carlson at sun.com> Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677
