Re: [osol-discuss] New onnv distro naming suggestion
SolarOS Rolls right off the tongue ;) -- This message posted from opensolaris.org ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] unable to break out of X
You are correct I have Solaris on this box not Opensolaris. Sorry about that. I might have better luck poking around looking for an answer tied to Solaris. Thanks four your assistance. Allen -Original Message- From: Alan Coopersmith [mailto:alan.coopersm...@oracle.com] Sent: Monday, August 02, 2010 3:49 PM To: Allen Jasewicz Cc: opensolaris-discuss@opensolaris.org Subject: Re: [osol-discuss] unable to break out of X Allen Jasewicz wrote: > I am in single user mode, however I do not know what to fix without running > the kdmconfig command (I have never been any good with X). The kdmconfig > command will not work in single user mode. There is no kdmconfig in OpenSolaris, so if you have that command, you're running something else (Solaris 10 probably, possibly an old SXCE build), and specifying what OS you're running would be a key step to getting the right help. > Is there a file to delete to tell X to reconfigure? Xorg autoconfigures itself as long as /etc/X11/xorg.conf is not present. -- -Alan Coopersmith-alan.coopersm...@oracle.com Oracle Solaris Platform Engineering: X Window System Yazaki North America, Inc. - Confidentiality & Security Notice This email is intended only for the person or entity to which it is addressed and may contain confidential, proprietary and/or privileged material. Any review, distribution, reliance on, or other use of this information by persons or entities other than the intended recipient is prohibited. If you receive this message in error, please immediately notify the sender and delete it and all copies of it from your system. Visitors are prohibited from taking pictures or video at anytime in YNA or its affiliated company facilities unless prior authorization is obtained from facilities management. Thank you. ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
[osol-discuss] Sound Juicer and security (was: Re: root roles & security holes)
Joerg/Dmitry: On 07/30/10 12:10 PM, joerg.schill...@fokus.fraunhofer.de wrote: "Dmitry G. Kozhinov" wrote: sound-juicer is started by a non-root user the process runs as root and writes its files as root If this is true, this is a huge security hole. Someone should investigate the problem. As far as I could understand, Sound Juicer does not know root password, however bypassing this somehow. Total crash of all UNIX ideas. There are several similar problems in GNOME. They are a result from the fact that Linux is not security oriented when allowing to send SCSI commands to devices. This can be done as normal user on Linux for many SCSI commands. People develop on Linux and create non-portable code that is a security risk. The problem with sound-juicer is similar to that of brasero. The sound-juicer application uses the brasero library to support CD burning. Since both brasero and sound-juicer require this, they both are configured in /etc/security/exec_attr to have elevated permission when the user has "Desktop Removable Media User" profile. This profile is normally assigned to the "Console User" role. This, and the security implications were discussed in the brasero ARC case (LSARC 2009/201). There was some talk in the Tamarack (PSARC 2005/399) case about adding some additional more fine-grained privileges (uscsi_full and uscsi_user) to better address this. Note this quote from that case: > We propose: > > - eliminate smserverd, make libsmedia open device directly; > - create two new privileges: > - uscsi_full for full uscsi access; > - uscsi_user for limited uscsi access (no resets or aborts); > - add uscsi_user to the "Basic User Profile"; However, this has Since sound-jouicer now cleanly calls cdda2wav in order to read AUDIO data from CD, there should no longer be a need to run sound-juicer as root. The GStreamer CDDA plugin uses cdda2wav for playing audio from the CD. However, CD ripping is handled by the brasero library, which uses the SCSI commands and therefore requires the elevated privilege. Brian ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] New onnv distro naming suggestion
On Mon, Aug 2, 2010 at 4:06 PM, Richard L. Hamilton wrote: > You want a name? > > uname... > -- > This message posted from opensolaris.org > ___ > opensolaris-discuss mailing list > opensolaris-discuss@opensolaris.org > ReallyOpenSolaris, with the others being KindaOpenSolaris, UnOpenSolaris and Oracalaris :P **DISCLAIMER: These comments require a sense of humor. Should you be lacking same, one may be available, slightly used, in various government organizations. ** -- Cheers, Steven --- Steven Acres Toronto OpenSolaris User Group Leader http://opensolaris.org/os/project/torosug ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] The Illumos Project
> Maybe it's as simple as a few people getting > sufficiently sick of seeing > the discussion boards full of people saying "Someone > should do this" and > "Someone should do that"; and decided to simply do > something instead of > complaining that someone else should do something? If it's anything like the current distro, with *affordable* paid support in line with pre-Oracle arrangements, then I'm in. Dave -- This message posted from opensolaris.org ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] root roles & security holes
On 08/ 2/10 04:55 AM, Mike DeMarco wrote: In making root a role you now rely on a user account to be available at all times. You can not login as the role and if the user account gets misconfigured in some way you can not login at all. User accounts are fluid they grow and get configured in different way each time you risk having the user account blow up and not be able to get back into the host to fix it other than with the LiveCD. Which means you always have to keep the LiveCD handy. Since root should be a limited use account you can and should give it a very cryptic password and keep its environment static. This ensures a level of sanity to the account and with it being static it will be left in a safe,secure and reliable state. Incidentally, if root is a role and the network is down and you have no local user accounts, you can still recover without a Live CD. You can use the root password to boot in single-user mode, even when root is a role. Scott -- Scott Rotondo Senior Principal Engineer, Solaris Core OS Engineering President, Trusted Computing Group Phone: +1 650 786 6309 (Internal x86309) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] root roles & security holes
On 07/30/10 03:49 PM, David Brodbeck wrote: On Jul 30, 2010, at 3:31 PM, Scott Rotondo wrote: Regarding the expansion of the attack surface, remember that assuming the root role requires logging in to a user account first and then providing the root password. Well, yes and no. It's true that su requires the root password, and sudo usually requires the password of the user account before running commands with root privileges. pfexec does not require any password entry at all, so an account that's allowed to exercise root privileges via pfexec is, from a security standpoint, functionally equivalent to another root account. What you're describing is the effect of assigning the Primary Administrator profile to users (so they can run any command as uid 0). That's not something I would recommend from a security standpoint. You certainly aren't required to do that in order to have the root account as a role. Scott -- Scott Rotondo Senior Principal Engineer, Solaris Core OS Engineering President, Trusted Computing Group Phone: +1 650 786 6309 (Internal x86309) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] unable to break out of X
All is well, this is what happened. When I ran kdmconfig the first time I must have selected the "xsun server" which in turn delete the xorg.conf file. Then I put the default copy of the OWconfig, which cause the kdmconfig to crash. The short of it is, X is working again and I need to pay closer which Solaris I am working on. Thanks for all your assistance -- This message posted from opensolaris.org ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] root roles & security holes
On Mon, Aug 02, 2010 at 11:31:31AM -0700, Mike DeMarco wrote: > > jimwtype=normal;profiles=File System Management,ZFS File System > > Management > > > > which doesn't give jimw the ability to su to root but does give > > some, but not all, additional privs when he pfexec's commands. > > I know that this is only an example but I prefer using zfs allow to > grant zfs command usage to users without having them pfexec. I wish > zones had the same functionality built in that would allow zoneadm > privilege for a given user. Sure, zfs priv delegation can come in very handy. > For root not logging who did what I always use a root.## account for > different admins to use root. None know that real root password and > they login as there root.## account which is set to uid 0. This tracks > usage as the logs now log root.__ did this. Once someone has UID 0 they don't need to know root's password. You should get to know OpenSolaris RBAC auditing better as I think you may find this provides better auditing and security than your current configuration. -- Will Fiveash Oracle Note my new work e-mail address: will.five...@oracle.com http://opensolaris.org/os/project/kerberos/ Sent using mutt, a sweet text based e-mail app: http://www.mutt.org/ ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] unable to break out of X
On 08/ 2/10 03:40 PM, Allen Jasewicz wrote: It is really weird, I am in single user mode, I have imported rpool to /a as read/write and I am unable to find an xorg.conf file on the /a mount. It was working and I wanted to make adjustments to the display and typed in kdmconfig while windows was running. I exited out without saving anything, then rebooted and that is what lead to where I am, unable to get windows to work or get a prompt when in multi user mode. You're on Solaris 10 Update 8: Solaris 10 10/09 s10x_u8wos_08a X86 Copyright ... Use is ... Assembled 16 September 2009 Look for /a/etc/openwin/server/etc/OWconfig. There may be a backup file in that directory. The template file should be /a/usr/openwin/server/etc/OWconfig. ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] The Illumos Project
Well, personally i would prefer if they all kept their work within Oracle/Sun, but let's see what this Illumos project will be.. Interesting that they have people from Nexenta, and the site is hosted within Stanford University Network...so back to home? ;) Bruno On 2-8-2010 21:43, Edward Martinez wrote: >> A number of the community leaders from the >> OpenSolaris community have >> been working quietly together on a new effort called >> Illumos, and we're >> just about ready to fully disclose our work to, and >> invite the general >> participation of, the general public. >> >> We believe that everyone who is interested in >> OpenSolaris should be >> interested in what we have to say, and so we invite >> the entire >> OpenSolaris community to join us for a presentation >> on at 1PM EDT on >> August 3, 2010. >> >> You can find out the full details of how to listen in >> to our conference, >> or attend in person (we will be announcing from New >> York City) by >> visiting http://www.illumos.org/announce (The final >> details shall be >> posted there not later than 1PM EDT Aug 1, 2010.) >> >> We look forward to seeing you there! >> >> - Garrett D'Amore & the rest of the Illumos Cast >> > I think it would be awesome, if former Solaris devs that used to work for > SUN would be invited to participate in illunos, people like: Bryan Cantrill, > Bill Moore, Greg Lanvender,etc in a way, It would be like getting the SUN > band together;) > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] unable to break out of X
On 08/ 2/10 03:40 PM, Allen Jasewicz wrote: It is really weird, I am in single user mode, I have imported rpool to /a as read/write and I am unable to find an xorg.conf file on the /a mount. It was working and I wanted to make adjustments to the display and typed in kdmconfig while windows was running. I exited out without saving anything, then rebooted and that is what lead to where I am, unable to get windows to work or get a prompt when in multi user mode. What does "cat /a/etc/release" report? ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] New onnv distro naming suggestion
You want a name? uname... -- This message posted from opensolaris.org ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] root roles & security holes
On 08/ 2/10 03:02 PM, Jason wrote: From an audit perspective, it's still going to show the activity as uid 0 vs an actual user. The idea is that one can track which user assumed the root role, and thus can associate the activity with a user. -Seb ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] unable to break out of X
Allen Jasewicz wrote: > I am in single user mode, however I do not know what to fix without running > the kdmconfig command (I have never been any good with X). The kdmconfig > command will not work in single user mode. There is no kdmconfig in OpenSolaris, so if you have that command, you're running something else (Solaris 10 probably, possibly an old SXCE build), and specifying what OS you're running would be a key step to getting the right help. > Is there a file to delete to tell X to reconfigure? Xorg autoconfigures itself as long as /etc/X11/xorg.conf is not present. -- -Alan Coopersmith-alan.coopersm...@oracle.com Oracle Solaris Platform Engineering: X Window System ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] The Illumos Project
> A number of the community leaders from the > OpenSolaris community have > been working quietly together on a new effort called > Illumos, and we're > just about ready to fully disclose our work to, and > invite the general > participation of, the general public. > > We believe that everyone who is interested in > OpenSolaris should be > interested in what we have to say, and so we invite > the entire > OpenSolaris community to join us for a presentation > on at 1PM EDT on > August 3, 2010. > > You can find out the full details of how to listen in > to our conference, > or attend in person (we will be announcing from New > York City) by > visiting http://www.illumos.org/announce (The final > details shall be > posted there not later than 1PM EDT Aug 1, 2010.) > > We look forward to seeing you there! > > - Garrett D'Amore & the rest of the Illumos Cast I think it would be awesome, if former Solaris devs that used to work for SUN would be invited to participate in illunos, people like: Bryan Cantrill, Bill Moore, Greg Lanvender,etc in a way, It would be like getting the SUN band together;) -- This message posted from opensolaris.org ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] unable to break out of X
It is really weird, I am in single user mode, I have imported rpool to /a as read/write and I am unable to find an xorg.conf file on the /a mount. It was working and I wanted to make adjustments to the display and typed in kdmconfig while windows was running. I exited out without saving anything, then rebooted and that is what lead to where I am, unable to get windows to work or get a prompt when in multi user mode. -- This message posted from opensolaris.org ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] unable to break out of X
> I am in single user mode, You are probably not in single user at this time, if it is only X which is not working... > however I do not know what > to fix without running the kdmconfig command (I have > never been any good with X). My guess is you have modified /etc/X11/xorg.conf manually. I'd login on the console with my usual account, then $ pfexec mv /etc/X11/xorg.conf /etc/X11/xorg.conf.HIDE $ pfexec svcadm clear gdm (the latter should be not necessary actually). X should start with no xorg.conf. If you want to have it in order to modify it, run: $ pfexec X -configure then examine/edit the newly create xorg.conf.new file in your home directory, try starting X with it and when you are happy with it, put it in place. > The kdmconfig command > will not work in single user mode. Is there a file > to delete to tell X to reconfigure? I will attempt > the grub steps in the mean time. I am mostly a SPARC > user so x86 is kinda new. Chavdar Ivanov -- This message posted from opensolaris.org ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] unable to break out of X
I am in single user mode, however I do not know what to fix without running the kdmconfig command (I have never been any good with X). The kdmconfig command will not work in single user mode. Is there a file to delete to tell X to reconfigure? I will attempt the grub steps in the mean time. I am mostly a SPARC user so x86 is kinda new. -- This message posted from opensolaris.org ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] New onnv distro naming suggestion
rm -r -- This message posted from opensolaris.org ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] root roles & security holes
>From an audit perspective, it's still going to show the activity as uid 0 vs an actual user. With the right infrastructure, it then becomes a lot harder to subvert... ..now if Oracle's others products (E-Biz suite) would actually work properly in an rbac environment... On Mon, Aug 2, 2010 at 1:31 PM, Mike DeMarco wrote: >> jimwtype=normal;profiles=File System >> Management,ZFS File System Management >> >> which doesn't give jimw the ability to su to root but >> does give some, >> but not all, additional privs when he pfexec's >> commands. > > I know that this is only an example but I prefer using zfs allow to grant zfs > command usage to users without having them pfexec. I wish zones had the same > functionality built in that would allow zoneadm privilege for a given user. > > For root not logging who did what I always use a root.## account for > different admins to use root. None know that real root password and they > login as there root.## account which is set to uid 0. This tracks usage as > the logs now log root.__ did this. > -- > This message posted from opensolaris.org > ___ > opensolaris-discuss mailing list > opensolaris-discuss@opensolaris.org > ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] unable to break out of X
> I attempted to change my display settings and somehow > broke X. It only displays that x can not be started > hit enter for a console prompt. The console prompt > never appears. If I can not get to to the prompt how > can I fix it? Can anyone provide suggestion on how > to boot without X attempting to start? I am using > Opensolaris x86 on a Dell optiplex 755. I do not > know the build because I can not get in. Boot into single user mode? In the GRUB boot menu, edit the menu entry and delete the splashimage, foreground and background lines, remove the ",console=graphics" option at the end of the kernel$ line, and append option "-s" (single user mode) at the end of the kernel$ line. Boot using the modified entry. -- This message posted from opensolaris.org ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] root roles & security holes
> > On Aug 2, 2010, at 5:00 AM, Mike DeMarco wrote: > > >> This is a variant of the convenience argument. > >> Systems with root as a > >> ole require a local user account with Primary > >> Administrator role. When > >> I installed OpenSolaris it did the right thing and > >> created such an > >> account that does not depend on NIS or LDAP and is > >> thus insulated from > >> issues with those servers. That user account > should > >> only have local > >> paths in the PATH and a local home directory for > >> greater reliability. > > > > Why do you believe root should be a role? > > I suspect the line of thinking went something like > this: > > - We've been telling people for a while not to log in > as root. > - They keep logging in as root anyway. > - We'll make it so they *can't* log in as root. > That'll learn 'em. ;) > I'm not totally against this; in fact, root is still > a role on my systems. It does lead to some > unexpected consequences you have to think through if > you use network authentication, is all. > > -- > > David Brodbeck > System Administrator, Linguistics > University of Washington > > > > > ___ > opensolaris-discuss mailing list > opensolaris-discuss@opensolaris.org > I tried to convert root back to a standard user and build 134 broke. It would not complete the boot and just hung. Had to boot the LiveCD suck in the zpool and change root back to a role before it would finish booting. No messages, no crash, just stopped booting. -- This message posted from opensolaris.org ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] root roles & security holes
> jimwtype=normal;profiles=File System > Management,ZFS File System Management > > which doesn't give jimw the ability to su to root but > does give some, > but not all, additional privs when he pfexec's > commands. I know that this is only an example but I prefer using zfs allow to grant zfs command usage to users without having them pfexec. I wish zones had the same functionality built in that would allow zoneadm privilege for a given user. For root not logging who did what I always use a root.## account for different admins to use root. None know that real root password and they login as there root.## account which is set to uid 0. This tracks usage as the logs now log root.__ did this. -- This message posted from opensolaris.org ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
[osol-discuss] unable to break out of X
I attempted to change my display settings and somehow broke X. It only displays that x can not be started hit enter for a console prompt. The console prompt never appears. If I can not get to to the prompt how can I fix it? Can anyone provide suggestion on how to boot without X attempting to start? I am using Opensolaris x86 on a Dell optiplex 755. I do not know the build because I can not get in. -- This message posted from opensolaris.org ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] root roles & security holes
On Fri, Jul 30, 2010 at 04:51:57PM -0700, David Brodbeck wrote: > > On Jul 30, 2010, at 4:41 PM, Will Fiveash wrote: > > > On Fri, Jul 30, 2010 at 03:49:57PM -0700, David Brodbeck wrote: > >> > >> On Jul 30, 2010, at 3:31 PM, Scott Rotondo wrote: > >>> Regarding the expansion of the attack surface, remember that > >>> assuming the root role requires logging in to a user account first > >>> and then providing the root password. > >> > >> Well, yes and no. It's true that su requires the root password, > >> and sudo usually requires the password of the user account before > >> running commands with root privileges. pfexec does not require any > >> password entry at all, so an account that's allowed to exercise > >> root privileges via pfexec is, from a security standpoint, > >> functionally equivalent to another root account. > > > > No, an account that has to either use su or pfexec to acquire root > > privs is not functionally the same as a root user account. Let's > > assume there are several people that require root privs to do their > > job. With a root user account any of them could login as root and > > audit records would not be able to identify which of those people > > did what as root. With RBAC and root as a role and each admin > > having their own account, audit records would show who became root > > and what commands they executed as root. Accountability is > > definitely enhanced with root as a role. > > Oh, I definitely agree. But I was making that comment in terms of the > ability of an attacker to get root privileges. In that case > compromising any admin account that can assume root privileges via > pfexec is functionally just as good to the attacker as compromising > the root account itself. So every privileged user you add makes the > system slightly more vulnerable to password guessing attacks. That's > what I meant when I said it expanded the attack surface. Of course, > hopefully your admins are all picking good passwords and not leaving > their SSH keys lying around. :) Making root a role and giving a user a pfexec profile that provides all privs are two different things. It is possible for example to have a user_attr entry that looks like: jimwtype=normal;roles=root;profiles=Basic Solaris User This allows jimw to su to root which requires root's password but pfexec'ing as jimw doesn't grant him additional privs. One could also configure jimw's user_attr entry to be: jimwtype=normal;profiles=File System Management,ZFS File System Management which doesn't give jimw the ability to su to root but does give some, but not all, additional privs when he pfexec's commands. -- Will Fiveash Oracle Note my new work e-mail address: will.five...@oracle.com http://opensolaris.org/os/project/kerberos/ Sent using mutt, a sweet text based e-mail app: http://www.mutt.org/ ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] New onnv distro naming suggestion
How about Ooboon, too? -- This message posted from opensolaris.org ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] root roles & security holes
On Aug 2, 2010, at 5:00 AM, Mike DeMarco wrote: >> This is a variant of the convenience argument. >> Systems with root as a >> ole require a local user account with Primary >> Administrator role. When >> I installed OpenSolaris it did the right thing and >> created such an >> account that does not depend on NIS or LDAP and is >> thus insulated from >> issues with those servers. That user account should >> only have local >> paths in the PATH and a local home directory for >> greater reliability. > > Why do you believe root should be a role? I suspect the line of thinking went something like this: - We've been telling people for a while not to log in as root. - They keep logging in as root anyway. - We'll make it so they *can't* log in as root. That'll learn 'em. ;) I'm not totally against this; in fact, root is still a role on my systems. It does lead to some unexpected consequences you have to think through if you use network authentication, is all. -- David Brodbeck System Administrator, Linguistics University of Washington ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] So it is true about the Media Pack
On Aug 1, 2010, at 11:35 AM, Edward Ned Harvey wrote: >> From: opensolaris-discuss-boun...@opensolaris.org [mailto:opensolaris- >> discuss-boun...@opensolaris.org] On Behalf Of Brandon Hume >> >>> Or you just pay $400/yr to have a paid license with >>> updates. >> >> I wish you'd be careful throwing around absolute numbers like that. >> That value is *your* quote. I'm happy for you that you work for a >> company that can demand such a low support cost. It must be a large >> company, or at least a big customer. > > It was a rough number. Any schmo can get that. Here's how I got that > number: > Go to http://dell.com and browse to find a server which supports solaris. > Select "No operating system." Make a note of the price. Then select the > various solaris options, and see how the price changes. I believe it's $450 > for solaris & 1yr basic support, or $1200 for 3 yrs. > > If you were quoted $1000 or more, it's for a higher level of support, or a > longer term of contract. Or else it's a ripoff. Maybe this is a situation like that with Windows -- if you buy a PC with Windows installed, you get a discount, because the PC builder has a special business relationship with Microsoft that entitles them to a discount. If you buy your own copy at retail, you pay a lot more, because Microsoft doesn't have a business relationship with you. -- David Brodbeck System Administrator, Linguistics University of Washington ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] root roles & security holes
Bayard Bell ha scritto:
One basic argument for converting root to a role is that logs no longer reflect
"root did it", where that's someone logged in as root–what you are now able to
determine is whodunnit exactly using a level of privilege rather than accessing an
account, which doesn't make various auditors very happy. Now, anticipating an objection,
let me acknowledge that there are places where, having eliminated direct login as root,
you can reasonably trace the terminal from which root was accessed to understand what
account was used to get to root or use something like sudo for command invocation. Among
other limitations, this breaks down in turn when you're trying to understand root
activities in a networked environment, so what you'd really want to see at that point is
role-based authorisations for network services rather than something reducible to uid==0.
This isn't to say that this is the only argument for doing this or even a comprehensive
treatment of this aspect, but it should indicate that there are some compelling if
involved arguments why the traditional Unix security model is broken. What concerns me is
not simply that this is broken and that, if this is supposed to solve the problems for
heterogenous distributed environments, there needs to be some convergence to standards
down the line. Given the kind of line coming out of the GNU community on including things
like strlcpy() in glibc, I'm not sure whether people are willing to move past pissing
contests ("not invented here" was how someone on the Debian list saw the
essence of the opposition from the Linux people on the glibc list) when it comes to
anything already implemented offered as a possible standard. That's not an argument
against work proceeding in Solaris, but it's a wariness as to how far some customers may
be able to go in uptake on new best practices–security can and will be undermined in the
long term if innovation is left for too long as a matter of competitive advantage between
Unix implementations rather than a core part of the standards.
I'm not going to defend setuid root or what have you without knowing much of
the particulars, as there are solutions for facets of this set of problems. The
general problem is managing operations requiring a piece of root that are more
efficiently managed as the privileges of a piece of software rather than a set
of users. What I would say about software that still goes down that route (and
there are variably portable or non-portable alternatives for subsets of the
problem space) is that it can and should be dropping effective privileges
except around those operations that require root. This is very well-established
stuff: see Stevens and Rago, Advanced Programming in the Unix Environment, pp.
237-241 (the first edition refers to some of the calls as pending POSIX
standardisation, so let's say that the necessarily complementary privilege
revocation techniques have been around long enough that no one should be
pleading any excuses if they need root for some operations but are keeping root
to write files in a way that would violate least privilege in context, which
sounds to be the case here without sufficient information being made available
in this forum to make a definitive judgement).
security-discuss might be a better forum for further discussion, so I've CC'ed
that list.
Cheers,
Bayard
On 30 Jul 2010, at 12:59, Mike DeMarco wrote:
Build 134:
1) Could anyone please explain why root has been converted to a role. I would
venture a guess that someone somewhere believes that it is more secure to run root
as a role. The whole "if root can not log directly into the box than someone
can not crack the root password. Well I agree that root should not be allowed to
login from the net but locking a root account out of console login relies on the
user account always being valid. and how much harder is it to hack the user then
move on to root, especially when the root password is the same as the users. Having
root as a role is causing me many problems and I am wondering if others are in
agreement or disagreement with this practice?
As for any other administrative account, having root as role is an
improvement both in term of security
(layered defense) and auditing. Anyway, if you feel uncomfortable having
this setting, you can change it
in a matter of seconds, by simply running "rolemod -K type=normal root"
2) I have noticed that when sound-juicer is started by a non-root user the
process runs as root and writes its files as root, WOW what a huge security
hole this is. To have a non-privileged user able to start and control an
application that writes files as root with root privilege to any filesystem!
Are you sure ? I'm running snv_111b, and SoundJuicer is just an
executable owned by root which can be launched by everyone:
$ ls -l /usr/bin/sound-juicer
-rwxr-xr-x 1 root bin 181860 2009-05-14 17:52 /usr/bin/so
[osol-discuss] Register now for Surge 2010
Registration for Surge Scalability Conference 2010 is open for all attendees! We have an awesome lineup of leaders from across the various communities that support highly scalable architectures, as well as the companies that implement them. Here's a small sampling from our list of speakers: John Allspaw, Etsy Theo Schlossnagle, OmniTI Rasmus Lerdorf, creator of PHP Tom Cook, Facebook Benjamin Black, fast_ip Artur Bergman, Wikia Christopher Brown, Opscode Bryan Cantrill, Joyent Baron Schwartz, Percona Paul Querna, Cloudkick Surge 2010 focuses on real case studies from production environments; the lessons learned from failure and how to re-engineer your way to a successful, highly scalable Internet architecture. The conference takes place at the Tremont Grand Historic Venue on Sept 30 and Oct 1, 2010 in Baltimore, MD. Register now to enjoy the Early Bird discount and guarantee your seat to this year's event! http://omniti.com/surge/2010/register Thanks, -- Jason Dixon OmniTI Computer Consulting, Inc. jdi...@omniti.com 443.325.1357 x.241 ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Oracle clears the air on OpenSolaris, but Sparc future looks dim
Looks like ComputerWeekly was confusing OpenSolaris with Solarisx86 -- This message posted from opensolaris.org ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Oracle clears the air on OpenSolaris, but Sparc future looks dim
On Sat, Jul 31, 2010 at 8:19 PM, Edward Martinez wrote: > Posting this here hoping it can be clarified? > > i wonder if this news reporter simply made and error, or was OpenSolaris > merged, with Solaris, and now solaris is the sole OS? > > quote: > "Oracle has attempted to address user concerns over its silent treatment of > OpenSolaris with its latest announcement. Dell and HP will certify and resell > the product, now called Oracle Solaris," > endquote > > > I hope this will be further addressed during Openworld. > > http://www.computerweekly.com/Articles/2010/07/30/242174/Oracle-clears-the-air-on-OpenSolaris-but-Sparc-future-looks.htm Well, in the absence of any actual announcement by Oracle as to the future of OpenSolaris, one has to regard this article as mostly in error. If, as a journalist, you haven't actually got any news, then you simply take a handful of completely independent items that aren't related to each other, throw them together in the same article at random, don't bother to check things like background, nomenclature, facts, or sources, think of a good title to make it sound interesting or controversial, draw some completely errant conclusions that are substantiated neither by the facts nor by the fictions presented by the article, and pass it off as journalism. Note that many of the individual words and sentences, even paragraphs are correct. It's the juxtaposition of items, the claimed relationships, and the conclusions erroneously drawn, that goes off into the weeds. The saddest thing is that people presumably get paid for this. (Still, at least I'm an "expert" rather than a "project manager".) On a more serious note, remember that nomenclature is confusing at best. OpenSolaris, depending on context and the knowledge of the speaker, could be one, some, or all of - a community, a codebase, a development effort, a trademark, a website, a distribution, and a commercial product (and many other things). The fact that it's referred to differently at different times or by different people or in different contexts doesn't mean that anything has actually changed. And even Solaris, which ought to have a somewhat more precise meaning, gets misused in the same way (and sometimes gets used as a shortcut to include some of the things that might be called OpenSolaris). Sun and now Oracle could never get this right, there's no point expecting journalists to do so. Sometimes I've wondered whether we need a debunking project to dissect articles like this. Mind you, it would just be a lot easier if Oracle were to actually clear the air... -- -Peter Tribble http://www.petertribble.co.uk/ - http://ptribble.blogspot.com/ ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] were we string along?
been there and done that with BMTS and did not get one of the coed squadrons either :) did have fun at the end with the graduation dance though ;) I have no problem with you, never know you might have been one of those crash rescue airmen that would watch us crash and burn then hose us down with the magic foam!! total respect!! I just think all others deserve the same. Take care brother-in-arms. -- This message posted from opensolaris.org ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] root roles & security holes
> This is a variant of the convenience argument. > Systems with root as a > ole require a local user account with Primary > Administrator role. When > I installed OpenSolaris it did the right thing and > created such an > account that does not depend on NIS or LDAP and is > thus insulated from > issues with those servers. That user account should > only have local > paths in the PATH and a local home directory for > greater reliability. If one person (or a sealed envelope in a safe, with multiple administrators) can handle it all, that may work. It is the only sure thing if root is a role (and I'd make the login directory for that account be in the root filesystem somewhere, to minimize what needed to be working for it to be used, although Solaris usually does ok with an unavailable login directory, probably thanks to having to deal with that if NFS is fouled up). But it does not scale to a few thousand servers and a dozen or two admins working as a pool across those few thousand servers. I'd hate to have to delete and create local accounts across a few thousand systems. Then we're back to a group account, and if the sealed envelope is broken, realistically the password has to be changed (by someone that probably will stay put for a long time) on all of those systems. Otherwise, that group account is a vulnerability in its own right. Come right down to it, it's hard to imagine anything that is very secure, very robust in the face of failed global services or networks, and decently maintainable. One could work around it all sorts of ways, but it's ugly. It would be nice to have a small set of accounts that were managed with a distributed naming service, but where the information was locally cacheable, refreshed at boot (and perhaps once or twice a day from cron), such that creating or deleting such an account centrally would automatically get a local copy of the changes pushed out to everything within a few hours or a day at most. Such an account might have to specify on the central service a reference to a list of systems allowed to cache the account information. Is there any reasonable way to do something like that? -- This message posted from opensolaris.org ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] root roles & security holes
> On Fri, Jul 30, 2010 at 03:49:57PM -0700, David > Brodbeck wrote: > > > > On Jul 30, 2010, at 3:31 PM, Scott Rotondo wrote: > > > Regarding the expansion of the attack surface, > remember that assuming the root role requires logging > in to a user account first and then providing the > root password. > > > > Well, yes and no. It's true that su requires the > root password, and sudo usually requires the password > of the user account before running commands with root > privileges. pfexec does not require any password > entry at all, so an account that's allowed to > exercise root privileges via pfexec is, from a > security standpoint, functionally equivalent to > another root account. > > No, an account that has to either use su or pfexec to > acquire root privs > is not functionally the same as a root user account. > Let's assume there > re several people that require root privs to do their > job. With a root > user account any of them could login as root and > audit records would not > be able to identify which of those people did what as > root. With RBAC > and root as a role and each admin having their own > account, audit > records would show who became root and what commands > they executed as > root. Accountability is definitely enhanced with > root as a role. > > -- > Will Fiveash > Oracle > Note my new work e-mail address: > will.five...@oracle.com > http://opensolaris.org/os/project/kerberos/ > Sent using mutt, a sweet text based e-mail app: > http://www.mutt.org/ > ___ > opensolaris-discuss mailing list > opensolaris-discuss@opensolaris.org > I believe root should be left as a non-role account. Admins that need to perform a subset of root level tasks should be authorized to do so in there account configuration through exec_attr/user_attr. Much the same way that zfs allows users to perform specific tasks through zfs allow. -- This message posted from opensolaris.org ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] The Illumos Project
--- On Mon, 8/2/10, Joerg Schilling wrote: > > > I think that is something very much deep inside the > community - the > > love for secrecy. > > Every project starts "in the secret". If you like to come > up with something > that looks seriously and that is working, you need to > prepare it. Even SchilliX > was not done within 3 days between June 14th and June 17th > 2005 but in the six > months before and few people did know about this. > > Eric Raymond said: "Release early and release often". He > did not say release > immediately. > > > Remember "Secret Six" - many years ago when Sun > stopped Solaris x86. > > Then OpenSolaris Pilot, then many OpenSolaris > projects, that were done secretly. > Jörg Some group name like the 'Deep Six' or 'Illuminus' (i.e. 'Illuminati')? Ref: http://www.illumos.org/projects/site/wiki/Announcement The Illumos website looks grand and it seems a well-spirited direction to foster community development and focus for an OpenSolaris-based distro. Not the 'one-person' show of many community distros where resources and funding are always constrained. The Illumos founders are a very capable group. I imagine visionary leaders like Mark Shuttleworth or Garrett D' Amore leading the pack. As they say in the movies, godspeed ~ Ken Mays P.S. Possible Illumos trailer? http://www.nick.com/videos/clip/NTV_clone_wars_trailer.html ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] were we string along?
I wanted initially to be in the Electronic Security Command, but that wasn't available for enlistees (prior-only), so security police was my next choice, but the recruiter told me all tech school slots were filled and I would have to wait a year! Not wanting to do that, and not wanting a desk job, he said firefighting was a criticial skill in short supply, so I took it and left for basic training a few weeks later. My luck, I was in the only all-male BMTS; all others were coed. Anyway, I hear what you're saying about the guy posting. If he wants to post, I won't complain. -- This message posted from opensolaris.org ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] root roles & security holes
> This is a variant of the convenience argument. > Systems with root as a > ole require a local user account with Primary > Administrator role. When > I installed OpenSolaris it did the right thing and > created such an > account that does not depend on NIS or LDAP and is > thus insulated from > issues with those servers. That user account should > only have local > paths in the PATH and a local home directory for > greater reliability. Why do you believe root should be a role? -- This message posted from opensolaris.org ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] root roles & security holes
> I'm in total agreement from a security aspect (recall > that OpenSolaris's > roots are in the enterprise server world and not > wide open desktop > land). I would ask you why root shouldn't be a role? > Hopefully the > nswer won't involve convenience. In making root a role you now rely on a user account to be available at all times. You can not login as the role and if the user account gets misconfigured in some way you can not login at all. User accounts are fluid they grow and get configured in different way each time you risk having the user account blow up and not be able to get back into the host to fix it other than with the LiveCD. Which means you always have to keep the LiveCD handy. Since root should be a limited use account you can and should give it a very cryptic password and keep its environment static. This ensures a level of sanity to the account and with it being static it will be left in a safe,secure and reliable state. -- This message posted from opensolaris.org ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] [xen-discuss] Xen EOF?
You (Pasi Kärkkäinen) wrote: > On Mon, Jul 26, 2010 at 04:35:33PM +0200, Matthias Pfützner wrote: > > > > There were 3 Xen-based solutions inside Oracle. OVM, OpenSolaris based xVM > > hypervisor, and the third, I always forget the name of... That third had > > been > > bought for the Management-GUI, AFAIK... Let's make ONE implementation good, > > and not three... Waste of engineering resources, I guess... ;-) > > > > VirtualIron. > > -- Pasi Thanks! Matthias -- Matthias Pfützner | Tel.: +49 700 PFUETZNER | Nichts ist ohne sein Lichtenbergstr.73 | mailto:matth...@pfuetzner.de | Gegenteil wahr. D-64289 Darmstadt | AIM: pfuetz, ICQ: 300967487 | Germany | http://www.pfuetzner.de/matthias/ | Martin Walser ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] The Illumos Project
> I think that is something very much deep inside the community - the > love for secrecy. > Remember "Secret Six" - many years ago when Sun stopped Solaris x86. > Then OpenSolaris Pilot, then many OpenSolaris projects, that were done > secretly. I do recall every bit of it and I do recall how hard time I had to explain to other people and convince them about OSOL, all these stories and fictions - they are real and exist ! Cmon! As I said to John already, if Garret is up to something thats very cool and laudable and he should properly announce his effort. He did publish some weeks ago an entry in his blog saying just wait, we all be saved and delivered - Whats that, what should we understand out of it ? That they are building a new distro ? Who they , why, how !? And why on his blog ? If he is talking about OSOL normal place would be under OSOL mailing list not on wordpress, blogspot ... In addition, if he is up to something he should first publish and set some minimal goals open to anybody *before* making a teleconference, announcing his work, project. He should gather opinions, if he wants community - for instance hosting, servers, contributions, members, names, colors etc etc... From day 0 ! I will keep quiet now, but at least thats my opinion. > It is quite hard to change people' mind and way of thinking. We (community) > will > get there (being open) eventually, but it will take quite some time. I hope, we will. stefan ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] The Illumos Project
Cyril Plisko wrote: > I think that is something very much deep inside the community - the > love for secrecy. Every project starts "in the secret". If you like to come up with something that looks seriously and that is working, you need to prepare it. Even SchilliX was not done within 3 days between June 14th and June 17th 2005 but in the six months before and few people did know about this. Eric Raymond said: "Release early and release often". He did not say release immediately. > Remember "Secret Six" - many years ago when Sun stopped Solaris x86. > Then OpenSolaris Pilot, then many OpenSolaris projects, that were done > secretly. At that time Sun did say we are willing to talk with six fou you (but not John Groenveld). I see no relation to the sutuation we currently have. Oracle is not talking with the community and if this did change, the OGB did announce this in public. Jörg -- EMail:jo...@schily.isdn.cs.tu-berlin.de (home) Jörg Schilling D-13353 Berlin j...@cs.tu-berlin.de(uni) joerg.schill...@fokus.fraunhofer.de (work) Blog: http://schily.blogspot.com/ URL: http://cdrecord.berlios.de/private/ ftp://ftp.berlios.de/pub/schily ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] The Illumos Project
Quoting Alan Hargreaves - Principal Field Technologist : [cut] get there (being open) eventually, but it will take quite some time. Maybe it's as simple as a few people getting sufficiently sick of seeing the discussion boards full of people saying "Someone should do this" and "Someone should do that"; and decided to simply do something instead of complaining that someone else should do something? Alan Hargreaves (who really has no idea what they will be announcing) And then maybe just they wouldn't like to promise something they wouldn't be able to deliver? This is difficult time to anything OpenSolaris related and if I was to put together something, I'd try to make it work first and then invite people, rather than shouting around that I'm going to build new distro and then not being able to for any reason. Regards -- Damian Wojsław This message was sent using IMP, the Internet Messaging Program. ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] Dell and HP to Certify and Resell all Three Oracle Operating Systems on their x86 Server Computers
Hahahaha! Yes, you are right, you did not say so. I dont really know why I posted that. I must have switched on the autopilot. There have been lots of FUD around OpenSolaris recently. Sorry for that. ;o) -- This message posted from opensolaris.org ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] The Illumos Project
On 08/02/10 17:20, Cyril Plisko wrote: On Mon, Aug 2, 2010 at 8:40 AM, Stefan Parvu wrote: A number of the community leaders from the OpenSolaris community have been working quietly together on a new effort called Illumos, and we're Why quietly ? Is this a secret organization or !? If you value the community why haven't you talked public *before* your project has started ? I think that is something very much deep inside the community - the love for secrecy. Remember "Secret Six" - many years ago when Sun stopped Solaris x86. Then OpenSolaris Pilot, then many OpenSolaris projects, that were done secretly. It is quite hard to change people' mind and way of thinking. We (community) will get there (being open) eventually, but it will take quite some time. Maybe it's as simple as a few people getting sufficiently sick of seeing the discussion boards full of people saying "Someone should do this" and "Someone should do that"; and decided to simply do something instead of complaining that someone else should do something? Alan Hargreaves (who really has no idea what they will be announcing) ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] no more news articles from me
if that is your attitude wayne then I suggest that they just close down this discussion group and be done with it. Like many people have mentioned before if you don't like the piper's tune, then don't listen to it. -- This message posted from opensolaris.org ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] The Illumos Project
On Mon, Aug 2, 2010 at 8:40 AM, Stefan Parvu wrote: >>A number of the community leaders from the OpenSolaris community have >>been working quietly together on a new effort called Illumos, and we're > > Why quietly ? Is this a secret organization or !? If you value the community > why > haven't you talked public *before* your project has started ? I think that is something very much deep inside the community - the love for secrecy. Remember "Secret Six" - many years ago when Sun stopped Solaris x86. Then OpenSolaris Pilot, then many OpenSolaris projects, that were done secretly. It is quite hard to change people' mind and way of thinking. We (community) will get there (being open) eventually, but it will take quite some time. -- Regards, Cyril ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
Re: [osol-discuss] [xen-discuss] Xen EOF?
On Mon, Jul 26, 2010 at 04:35:33PM +0200, Matthias Pfützner wrote: > > There were 3 Xen-based solutions inside Oracle. OVM, OpenSolaris based xVM > hypervisor, and the third, I always forget the name of... That third had been > bought for the Management-GUI, AFAIK... Let's make ONE implementation good, > and not three... Waste of engineering resources, I guess... ;-) > VirtualIron. -- Pasi ___ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
