This project proposes updates to the rbac implementation.
Release binding: minor.
This case was approved at today's PSARC meeting.
Gary..
Only authorizations seem to be explicitly addressed here. How are
executables addressed? That is the use of pfexec?
Through the profiles. There are no defaults exec attributes listed in
policy.conf.
So you're saying that the pfexec search as well as the auth
This project proposes updates to the rbac implementation.
Release binding: minor.
The current rbac implementation has several shortcomings:
The project team doesn't say why these are shortcomings.
I was having a hard time getting the motivation. Fortunately
in an
PSARC 2008/532 NWAM Phase 1
PSARC 2009/577 Network Auto-Magic (NWAM) Phase 1 Updates
+1
And see below for a code review comment.
Gary..
any of these. The Network Autoconf profile is now split into the
Network Autoconf User and Network Autoconf Admin profiles. The User
profile is
I'm sponsoring this case for Jan Friedel and the Solaris Audit project team.
It is the second phase of converting the audit service configuration to
SMF. The first phase was PSARC/2009/022 audit_startup(1m) EOL and removal.
This case was approved at today's PSARC meeting.
Gary..
I'm sponsoring this case for Jan Friedel and the Solaris Audit project team.
It is the second phase of converting the audit service configuration to
SMF. The first phase was PSARC/2009/022 audit_startup(1m) EOL and removal.
PSARC/2008/787 Obsolete of some Solaris Audit commands and
This case was approved at today's PSARC meeting.
Gary..
For some reason, this never made it to the case log or my inbox.
Sorry for the delay.
From: Richard L. Hamilton rlhamil at smart.net
To: opensolaris-arc at opensolaris.org
Subject: Re: User object audit token [PSARC/2010/001 FastTrack timeout
01/11/2010]
Date: Sat, 02 Jan 2010 05:39:59 -0800
I want to clarify the definition of the NET_ACCESS privilege as follows:
privilege NET_ACCESS
Allows a process to open a TCP, UDP or SCTP network endpoint.
This makes clear that ICMP and RAW sockets do not require more than the
NET_ICMPACCESS or NET_RAWACCESS.
+1
Gary..
--- priv_addset.3 Mon Dec 21 12:08:24 2009
+++ priv_addset.3.new Mon Dec 21 12:10:00 2009
@@ -20,6 +20,8 @@
void priv_emptyset(priv_set_t *sp);
+ void priv_basicset(priv_set_t *sp);
+
void priv_fillset(priv_set_t *sp);
void priv_freeset(priv_set_t
Darren writes:
While I think it is unfortunate we need yet another special uid/gid for
this it seems like the only workable solution (I'd already discussed
this offline with the project team). So I'm happy to given this case a
+1 as specified.
I agree with Darren, it's
I'm sponsoring the case on behalf of myself, the Audit Project Team
and the RBAC and Admin Project Team.
It requests a Patch Release Binding. However, there is no intention to
back port unless there is a business need to do so. The exposed interfaces
were never formally ARCed. They have been
At the request of the project team, this case has been superseded by
PSARC/2009/676 Validated Execution Umbrella Case.
Gary..
I've attached updated pam_krb5.5 and pam_krb5.5.diffmarked.
+1
Gary..
The final spec and man page for the pam_krb5 pkinit project
have been put into the case directory. If there are no
further objections, this case should get approved at the meeting
this week.
From message 60 of 17 Nov and not yet answered:
Gary..
==
From pkinit-final:
The
One question; should pam_krb5 doing PKINIT ever try using the password
acquired via pam_authtok_get as the PIN if pam_krb5 is stacked below
pam_authtok_get like so:
login auth required pam_unix_cred.so.1
login auth sufficient pam_krb5.so.1 pkinit
Improving ACL fabrication and making it do a better job of approximating
NFSv4 ACL, will still have the following problem:
- The user could retrieve the fabricated ACL on the client and attempt
to perform some operation only to be denied when the real ACL is
evaluated on the server.
I'm sponsoring this fast-track on behalf of Vallish Vaidyeshwara (RPE).
This case seeks minor binding.
Is this really only needed in Solaris Next? It seems OK to me
for a Patch binding if needed.
+1 for either binding.
Gary..
I am sponsoring this fast-track case for myself.
No external/ABI interfaces are changing, so there is no documentation change.
I don't see any mention of how Solaris Audit will be affected.
I've not looked at the current implementation to see how each
of the current
.
+1
Gary..
Gary Winiger wrote:
New exported interface Stability Binding
---
setnotify subcommand of svccfg(1M) Committed Patch
listnotify subcommand of svccfg(1M
I'm sponsoring this case for myself and the the Solaris Audit project team.
I believe it qualifies for self review and am marking it closed approved
automatic.
I'm happy to turn it into a fast track and set the timer if anyone believes
I've misjudged.
The case requests an obselescence
Additionally this case seems not to follow the SMF policy for
configuring properties. See
http://sac.eng.sun.com/cgi-bin/bp.cgi?NAME=SMF.bp
(there is an opensolsaris.org equivalent, but that website is
not presently responding so I can't cut a paste the url).
The submitter has updated the spec and I believe all of the issues have
been addressed. The timer expired yesterday, this case is now
approved.
I believe this is premature. In any case Darren and I discussed
things Wed afternoon and came up with a number of points.
Again
New exported interface Stability Binding
---
setnotify subcommand of svccfg(1M) Committed Patch
listnotify subcommand of svccfg(1M) Committed Patch
Rob's sent me updated materials which reflect the clarifications due
to the conversation here around privileges and the removal of
config/debug from the manpages.
I've put them in the case directory.
4.11. Security Impact:
During daemon initialization, the smtp-notify daemon will
Rob's sent me updated materials which reflect the clarifications due
to the conversation here around privileges and the removal of
config/debug from the manpages.
I've put them in the case directory.
config/rootdir
This is an astring property that defaults to /.
Gerry,
Please also refer to inline comments below.
Thanks!
--Gerry
Gary Winiger mailto:gww at eng.sun.com wrote:
Mike,
I'm working with Intel to answer your questions. Essentially we
want to provide the least amount of access possible for this daemon
to do its
The submitter has updated the spec and I believe all of the issues have
been addressed. The timer expired yesterday, this case is now
approved.
I believe this is premature. In any case Darren and I discussed
things Wed afternoon and came up with a number of points. Since he
I think this is
sufficient for now and it doesn't preclude adding module options or a
krb5.conf stanza (or even user_attr(4) name=value pairs) to control this
in the future.
Hopefully pam_eval will be a longer term way of
I want to see an updated pam_krb5(5) man page explaining how to use
PKINIT
and including the example PAM stacks for use of PKINIT.
If I understand the project correctly:
* The project wants to do different prompting than pam_authtok_get(5).
* The project proposes to
What is the Release Binding?
Minor/Patch
Which is it Minor or Patch -- they are different see
http://sac.eng/BestPractices/release_taxonomy.html
and
http://sac.eng/cgi-bin/bp.cgi?NAME=interface_taxonomy.bp
Patch implies Minor, Minor does not imply
Brian,
I little house cleaning. After this case was approved, the project
team decided to take a different approach which was submitted and
approved in PSARC 2009/566. Since the approach in 2009/352 is no
longer valid, I am marking it as withdrawn to avoid future confusion.
Wouldn't
Ted,
Note to PSARC admin folks: I may need manual
intervention to get this into the agenda.
(As far as I can tell, the tools don't support
a fasttrack using an existing case with
one-pager already in place.)
Not sure what you're asking. If you have a case that needs
an
I am the licensee.
As a licensee you should know what to do. Contact your mentor
and RTM
http://sac.eng.sun.com/arc/Processes/ARC-LicenseeDuties.html
In general it's automagic it you use the tools.
Gary..
While working out the various permutations of PAM auth stacks I've
discovered that my fasttrack was not complete in regards to new
interfaces.
At yesterday's meeting, I asked for more time through today.
Unfortuntely, I'm not going to be able to get through this
case
Garrett asked me for codereview, and in looking, I've noticed that xterm
still
supports the crufty old Tek 4014 mode, and one can actually make it work with
graph and plot (at least). So it's *conceivable* that someone is still using
this, although it would have to be nasty moldy old
I've executed and recorded 2000/517-19 for PSARC/2008/181 Hotplug Framework
to use the project private interfaces described in the prototype contract
approved in 2003/397. 2003/397 and 2008/181 have a symlink to the executed
contract.
Gary..
I didn't see any +1s on this, although the case timed out. Can I get a
member to review this?
The case states:
Approximately 2.5 years ago, we integrated the basic platmod support
for the Douglas platform (PSARC 2007/152), which is the Tadpole SPARCLE
laptop. These laptops
to get this done?
Thanks,
Mike
On Tue, 2009-10-13 at 13:29 -0700, Gary Winiger wrote:
The acpihpd is started and stopped using the standard Solaris service
management facility. The acpihpd is an smf service, and will only be
enabled on
the platforms which supports IOH/CPU
The acpihpd is started and stopped using the standard Solaris service
management facility. The acpihpd is an smf service, and will only be enabled
on
the platforms which supports IOH/CPU/memory hot plug.
How is the SMF usage policy met?
This project proposes changing the maximum value for NGROUPS_MAX
from 32 to 1024 by changing the definition of NGROUPS_UMAX from 32
to 1024.
NGROUPS_MAX as defined by different Unix versions are as follows
(http://www.j3e.de/ngroups.html):
Linux Kernel = 2.6.3
This project proposes changing the maximum value for NGROUPS_MAX
from 32 to 1024 by changing the definition of NGROUPS_UMAX from 32
to 1024.
NGROUPS_MAX as defined by different Unix versions are as follows
(http://www.j3e.de/ngroups.html):
Linux Kernel = 2.6.3
I'm sponsoring this Fast Track for Raja Gopal Andra, the RPE naming team,
and the NIS+ core team. It requests removal of all the NIS+ related
interfaces and documentation in a Minor Release. While this is somewhat
long, the case owner and project team believe it still qualifies for a
Fast
I'm sponsoring this Fast Track for Raja Gopal Andra, the RPE naming team,
and the NIS+ core team. It requests removal of all the NIS+ related
interfaces and documentation in a Minor Release. While this is somewhat
long, the case owner and project team believe it still qualifies for a
Fast Track
2) Are there any plans to enhance CUPS to distributed network printer
configuration via NIS? Or is there a replacement for this service
already present? (I guess this is what Bonjour is intended for?)
There are no plans for NIS. CUPS supports LDAP, DNS-SD, SLP, and CUPS
Browse
I've executed and recorded 2000/517-18 for PSARC/2008/725 TPM Support
to use the project private interfaces described in the prototype contract
approved in 2003/397. 2003/397 and 2008/725 have a symlink to the executed
contract.
Gary..
ATTRIBUTES
See attributes(5) for description of the following attributes:
_
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_|_ ___|
|
With Gary's issues clarified can someone +1 this project?
My last comment was really just a nit, so +1.
Gary..
I have placed the attached man page document in the case directory under
the materials subdirectory.
For the record from a private thread with the project team:
My primary comment on the man page and case all together is that
it's unclear what the output of call to the
gw-1 What's the administrative interface? dladm?
What's the policy for setting these properties?
Eric and I were going to resolve any issues with the policy
for these properties offline. Since the meeting I've done
the research I hadn't gotten to. dladm is
Here's updated man page with new COMMENTS section giving high level
overview of the options for daemon environment setup.
If there is a need for more specific references (to actual functions
like priv_set(3C) and such) I can add them.
Probably not, but please add privileges(5) to
I've updated the case directory in the commitment3.materials directory
with updated materials.
No such file or directory.
/net/sac.sfbay/export/sac/Archives/CaseLog/arc/PSARC/2008/181
marduk.eng-gww[200]: l
20080306_govinda.tatti@commitment2.materials/
DESCRIPTION
If the nochdir option is other than zero the working directory will
not be changed to the root directory, otherwise it will be.
Is this / or ~root?
RETURN VALUES
Upon successful completion, daemon() returns 0. Otherwise it returns -1.
What are
I'm self sponsoring this case. I believe it qualifies for self-review and
am marking it closed approved automatic. I am happy to turn it into a
fast track and set the timer if anyone believes I've misjudged.
The case requests a Patch Release Binding and an unchanged Contracted Project
Private
issues in summary. An updated spec will follow the convergence of the case.
This case was approved at today's PSARC meeting. An updated
spec will be delivered to the case tomorrow when I get the
wording straight for making mlslabel undelegatable.
Below and in
issues in summary. An updated spec will follow the convergence of the case.
This case was approved at today's PSARC meeting. An updated
spec will be delivered to the case tomorrow when I get the
wording straight for making mlslabel undelegatable.
Gary..
+ slabel=internally encoded label | none
+ This property is used with Trusted Extensions. This is
+ the internal encoding of a sensitivity label (also called
+ a hex label). (See label_to_str(3tsol), label_encodings(4),
+ hextoalabel(1M),
Well, they are static, no?
Static to a given site. The issue is that the labels themselves are
classified information for some customers - usually only the compartment
bits - and as such it would be better if we could encrypt them so that
the handling of disks that contain labels
That's why the internal format (aka hex label) is what is stored.
By official government ruling (at least from us DoD) it is
unclassified and may be view by anyone.
Does that then mean we can't allow for 'zfs get slabel' to return the
label_to_str() version ? I could live
OK then ;-) I'll be posting a summary of the issues discussed
and responses shortly so we're all on the same page.
During this case discussion a few points were raised. In order to work
towards convergence of the case the project team would like to respond to those
issues in
I'm sponsoring this case for Marek Pospisil and the Solaris Audit
project team. It requests a Minor Release Binding and an unchanged
interface taxonomy.
I believe it qualifies for self-review and have marked it closed approved
automatic. I'm happy to turn it into a fast track and set a timer if
During the implementation and code review phase of PSARC/2009/208,
a few changes to the protocol seemed to be advisable to make before
audit_remote(5) was integrated. The version number remains unchanged.
Only GSS-API functionality is supported at this time.
Additionally, IANA granted the
I'm sponsoring this Fast Track for Ric Aleshire and the Trusted Extensions
development team.
Trusted Extensions was introduced in PSARC/2002/762 Layered Trusted
Solaris with filesystem interfaces defined in the subcase
PSARC/2005/723 Solaris Trusted Extensions Filesystem Labeling
One of the
AAR, Fat fingered the case number when cleaning up the To and Cc lists.
Please reply to this mail.
Gary..
==
I'm sponsoring this Fast Track for Ric Aleshire and the Trusted Extensions
development team.
Trusted Extensions was introduced in PSARC/2002/762 Layered Trusted
Solaris with
So +1 from me. Hopefully Gary is also reviewing this and making sure
that neither Nico nor I are missing anything.
+1
Gary..
We already have a system project why not:
system.inetd
system.foo
I think Scott's concern about nesting is valid, but that's otherwise a
nice idea.
Just as we have user.root, and group.staff, system.inetd seems
the right level of nestedness.
Gary..
I have another suggestion. Seeing that /etc/project already uses
user.name and group.name, why not svc.name, where name is
derived from the service FMRI? That seems sufficient to achieve our real
Doubleplus good.
;-)
Gary..
I'm sponsoring this case for myself. It updates the PSARC/2005/259
Layered Trusted Solaris Label Interfaces str_to_label(3tsol) function.
The commitment level remains Committed. A Patch release binding is requested.
A full diff marked man page is in the case directory.
This case
I'm sponsoring this case for myself. It updates the PSARC/2005/259
Layered Trusted Solaris Label Interfaces str_to_label(3tsol) function.
The commitment level remains Committed. A Patch release binding is requested.
A full diff marked man page is in the case directory.
The timer is set for 10
Which again re-enforces that system_noshell() *is* intended to be a
replacement for system(3C).
I have not problem with providing a variant of system(3C) that is more
secure. However I'm not convinced that a new symbol - and thus changes
to existing code to use it. Is the best way to
Ok, for TIOCSTI, there are effectively three choices here.
1. maintain the current behaviour, which appears to require
PRIV_ALL
2. modify the behaviour to allow the device owner to use TIOCSTI,
when the sessions match.
3. modify the behaviour to allow the device owner
Haven't we always documented uadmin(2) as the wrong way to do that?
I suspect you looked at the page, but for the record, the language is:
This function is tightly coupled to the system
administrative procedures and is not intended for
general use.
Souldn't this be
Thanks Garrett, Peter, Seb and Gary, for your review and
the comments for the case. We'll look into the concerns
that brought up and see what we can do.
I thought Garrett derailed. Yet it still seems to have
a waiting fast-track status. Garrett, if it is derailed,
I'll also point out that the case seems (IMO), to overlap with other
tools -- nfsstat, netstat, and snoop for example in a way that I think
the statement in the materials that this doesn't compete with other
Solaris tools or technologies might not be entirely true.
So, given these
From Norm.Jacobs at sun.com Wed May 6 22:07:44 2009
Date: Thu, 07 May 2009 00:07:39 -0500
From: Norm Jacobs Norm.Jacobs at sun.com
Subject: Re: Amendments to pconsole fast-track [PSARC/2009/275 FastTrack
timeout 05/08/2009]
To: Gary Winiger gww at eng.sun.com
Cc: gww at sac.sfbay.sun.com
Explicitly copied Seb since he was case owner for libpcap.
1. For privileges(5), PRIV_NET_RAWACCESS is least required since snort
depends on
libpcap which sets NIC to RAW mode in order to monitor the flow of the box.
And the Network Management profile is necessary. From definition of
.
I'm not sure that's this case (though it would be nice if
the policy was revisited and this case dependent on that revisit),
but I'm not suggesting that be the a case requirement.
Perhaps an offline email if I've not been clear.
Thankx,
Gary..
Gary Winiger
IMO, this case should be withdrawn and the bug should be fixed.
If I'm wrong about the bug, then the case should be reintroduced
with rational as to why there isn't a bug and what the policy really
should be for TIOCSTI.
I'll give the project team a while to
Hi, Gary,
Snort does far more than just read files. It links to libpcap and can
snoop on network interfaces in real time. To do *that*, it will
require elevated privileges.
Right.
What are those elevated privileges.
For privileges, I think you mean the
property_group name='general' type='framework'
!-- to start stop snortd --
propval name='action_authorization' type='astring'
value='solaris.smf.manage.snort' /
/property_group
Don't you also want a value
/etc/security/prof_attr:
Parallel Console Access:::Connect to remote consoles with pconsole:
To whom/how is this Rights Profile granted?
Also note that a help file needs to come with the addition of
a Rights Profile. See:
After discussing with Gary Winiger I am amending the PSARC case to
include more details about security.
I'm probably being overly picky here. In my offline discussions
there seemed to be confusion about the (architectural) details.
Including that I'm not the only one
I've missed seeing the specification that pcitool will be
added to Maintenane and Repair and with what attributes.
See
http://opensolaris.org/os/community/arc/bestpractices/rbac-profiles/
for how to add to the RBAC databases.
I'm happy to coach
From gww at eng.sun.com Fri May 1 11:31:26 2009
Date: Fri, 1 May 2009 11:31:24 -0700 (PDT)
From: Gary Winiger gww at eng.sun.com
To: gww at sac.sfbay.sun.com, Erwin.Tsaur at sun.com
Subject: Re: PSARC 2009/215 PCITool Public Interrupts
Cc: Alan.Slivensky at sun.com, PSARC-ext at sun.com
Amendment 1:
The pconsole-bin binary requires elevated privilege to be useful. We
request to move the binary from the originally stated /usr/bin to
/usr/sbin, in line with where other binaries requiring privilege
usually exist.
Amendment 2:
A new execution profile and attribute will
Snort does far more than just read files. It links to libpcap and can
snoop on network interfaces in real time. To do *that*, it will
require elevated privileges.
Right.
What are those elevated privileges.
Do those come from RBAC, or is the user expected to use sudo?
From sacadmin Mon Nov 5 12:12:37 2007
Date: Mon, 5 Nov 2007 12:07:58 -0800 (PST)
From: Gary Winiger gww at eng.sun.com
To: gww at eng.sun.com, mws at zion.sfbay.sun.com
Subject: Re: PSARC 2007/064 Unified POSIX and Windows Credentials for Solaris
Cc: psarc at sac.sfbay.sun.com, arc-discuss
3.4.2 Authorization
(see http://opensolaris.org/os/community/arc/bestpractices/rbac-intro/
and
http://opensolaris.org/os/community/arc/bestpractices/rbac-profiles/
and
http://opensolaris.org/os/community/arc/bestpractices/rbac-profiles/
for details)
I am sponsoring the following case for Rob Johnston to add a -m
option to fmdump to permit administrators to retrieve the human-readable
message for a fault entry from an FMA log.
4.4. Interfaces:
The command-line options and human-readable output for fmdump(1m) are
My recollection from 2005/232 was there was a discussion
about non-standard install places. How was that resolved?
I wasn't part of that discussion back then. Not sure what that would be
about.
As the project is largely relying on that case with was about
an
From: Gary Winiger gww at sac.sfbay.sun.com
Project Description:
PCITool was previously conceived in PSARC 2005/232, but was
intended as an internal only tool. This case would make the
command line interface, pcitool, available to external customers.
My recollection
Project Description:
PCITool was previously conceived in PSARC 2005/232, but was
intended as an internal only tool. This case would make the
command line interface, pcitool, available to external customers.
My recollection from 2005/232 was there was a discussion
The timer is set for 8 Apr, 2009.
The timer having been reached, there being no outstanding issues,
there being a positive acknowledgement +1, I've updated the
spec (audit_remote.5) with diff marks and I've marked this
case as closed approved.
Gary..
The timer is set for 8 Apr, 2009.
Members as there is no meeting on 8 Apr, I'd like to confirm that
all the issues have been resolved. I believe so. I could read
Darren's posting to the case as a +1, and I'd like to ensure
I've addressed things before moving on.
Gary Winiger wrote:
This project only provides the sending side of a complete Solaris remote
audit trail solution. The receiving side will to be covered by another,
as yet, unscheduled project. The project team believes this case is
complete
without the receiving side and has
I'm self sponsoring this case. I believe it qualifies for self-review
and am marking it closed approved automatic. I'm happy to turn it
into a fast track and set the timer if anyone believes I've misjudged.
PSARC/2000/517 Thread-safe audit API introduced a number of Contracted
Project Private
I'm sponsoring this fast track for Jan Friedel and the Solaris Audit
project team. The case seeks a Patch Release Binding and a mixed
Interface Taxonomy.
Committed for the auditd interface, plugin audit_remote;
Contracted Project Private for the client-server protocol;
no change for the audit.log
5. Projects need to be aware of the overall security of the system and how
their components affect it. Which parts of this project are critical to
the security of the system to avoid such unintended consequences such
as unauthorized system entry, unauthorized access to or
? ? You could talk with the TX team.
As with all the 20Qs, there is significant value in having something
more than an open ended question that teams can't fully comprehend.
Some sort of context (checklist, description, URL, Best Practice,...)
so that the teams can say hey, that sounds
This case is now open.
+1 in the open as well as closed.
Gary..
1 - 100 of 469 matches
Mail list logo
