James Peach created TS-3103:
-------------------------------
Summary: improve privilege elevation
Key: TS-3103
URL: https://issues.apache.org/jira/browse/TS-3103
Project: Traffic Server
Issue Type: Improvement
Components: Core, Security
Reporter: James Peach
Assignee: Leif Hedstrom
Improve privilege elevation so that we have a single function that alters
process credentials, and does it correctly.
Here is the behavior I plan to implement:
1. traffic_manager runs with real root credentials, but
effective credentials as given by proxy.config.admin.user_id.
It will elevate back to root to perform privileged operations.
2. traffic_server is started with real root credentials,
but attempts to permanently drop to an unprivileged user early
in the startup process. The unprivileged user account for
traffic_server is also given by proxy.config.admin.user_id.
when traffic_server drops privilege, it does so permanently.
3. traffic_server may elevate privilege depending on the
value of proxy.config.ssl.cert.load_elevated and
proxy.config.plugin.load_elevated. This elevation will only
be supported on platforms that have per-thread capabilities.
traffic_server will check at startup whether to retain
sufficient capabilities to allow it to elevate later. This
means that the *.load_elevated configurations will not be
reloadable.
4. After traffic_server drops privilege, we will continue to abort
with a fatal error if the real or effective user ID is root. This
behavior can be avoided by defining BIG_SECURITY_HOLE=1 at build
time.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
