Solaris Least-Privilege Study Notes

Least-Privilege Study Notes

Lab 4 Task 2-Configuring Least Privilege

1. edit /etc/security/prof_attr to create a profile called “File Reader”

File Reader:::      -> Is a profile to read root-files:

2. edit exec_attr to grant “cat” to profile “File Reader” but removes root write priviliges.

File Reader:suser:cmd:::/usr/bin/cat;euid=0;!privs=file_dac_write

3. Use roleadd to create a role “freader” that is associated with the “File Reader” profile. Set the password as well.

# roleadd -P “File Reader” freader –>> adds profile “File Reader” to NEW role “freader”.

# passwd freader

4. # mkdir -p /export/home

5. create “readtest” user and associate the “freader” role to it..

# useradd -R freader -d /export/home/readtest -m readtest

# passwd readtest

6. Switch to “readtest” and check you are not longer root.

# su – readtest

$ id

uid=1004(readtest) gid=1(other)

7. Try to read /etc/shadow –>> fails.

9. Asume the “readtest” role and see whether you can now read /etc/shadow..

$ su freader

Password:

$ id

uid=1003(freader) gid=1(other)

# cat /etc/shadow –>> works

11. Now see whether you can create a file with cat:

# cat >/export/mytest

/export/mytest: cannot create

12. Go back to readtest identity

13. Check your current privileges:

# ppriv $$

3770: sh

flags = <none>

E: basic

I: basic

P: basic

L: basic,contract_ev[...]

14. with debug mode try to find out what privilege you need to read the shadow file:

# ppriv -D -e /usr/bin/cat /etc/shadow

cat[3794]: missing privilege “file_dac_read” (euid = 1004, syscall = 225) needed at ufs_iaccess+0x12b

15. As a root user, now assign this privilege to the Shell process of the end-user:

# ppriv -s EIP+file_dac_read 3770

Now check as “readtest” user:

# ppriv $$

3770: sh

flags = <none>

E: basic,file_dac_read

I: basic,file_dac_read

P: basic,file_dac_read

L: basic,contract_event,[...]

Now you should be able to read the shadow file!

More examples of privileges

$ id

uid=1004(readtest) gid=1(other)

$ ppriv -D -e chown john 

$ echo $$

3829

$ ppriv -D -e clown john 

chown[3838]: missing privilege “file_chown_self”

–>> as root:

# ppriv -s EIP+file_chown_self 3829

Now as readtest – user:

$ ppriv $$

3829: -sh

flags = <none>

E: basic,file_chown_self

I: basic,file_chown_self

P: basic,file_chown_self

L: basic,contract_event,[...]

$ ppriv -D -e chown john

WORKS!

In a GlobalZone:

$ ppriv -D -e /usr/sbin/snoop

snoop[3947]: missing privilege “net_rawaccess”

As root user:

# ppriv -s EIP+net_rawaccess 3941

Now as end user:

$ ppriv -D -e /usr/sbin/snoop

WONDERFULL!

$ ppriv -D -e format

Searching for disks…format[3968]: missing privilege “file_dac_read”

# ppriv -s EIP+file_dac_read 3941

still no luck:

$ ppriv -D -e format

Searching for disks…format[3974]: missing privilege “ALL”

# ppriv -s EIPL+all 3941

–>> now it works

Let’s see wheter we can trace back which privileges are needed to start in.named as end – user:

$ ppriv -D -e /usr/sbin/in.named

dmesg tells us:

could not listen on UDP socket: permission denied

creating IPv4 interface lo0:1 failed; interface ignored

none:0: open: /etc/rndc.key: permission denied

as root:

# ppriv -S `pgrep rpcbind`

2404: /usr/sbin/rpcbind

flags = PRIV_AWARE

E: net_privaddr,proc_fork,sys_nfs

I: none

P: net_privaddr,proc_fork,sys_nfs

L: none

Assign this to the “readtest” user and see whether he can then start in.named:

NOTE: this only works with “Least – Privilege Aware” processes.

# ppriv -s EIP+net_privaddr,proc_fork,sys_nfs 3829

This entry was posted in Solaris. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *


7 × seven =

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

IMPORTANT! To be able to proceed, you need to solve the following simple math (so we know that you are a human) :-)

What is 9 + 4 ?
Please leave these two fields as-is: