Least-Privilege Study Notes
Lab 4 Task 2-Configuring Least Privilege
1. edit /etc/security/prof_attr to create a profile called “File Reader”
File Reader::: -> Is a profile to read root-files:
2. edit exec_attr to grant “cat” to profile “File Reader” but removes root write priviliges.
File Reader:suser:cmd:::/usr/bin/cat;euid=0;!privs=file_dac_write
3. Use roleadd to create a role “freader” that is associated with the “File Reader” profile. Set the password as well.
# roleadd -P “File Reader” freader –>> adds profile “File Reader” to NEW role “freader”.
# passwd freader
4. # mkdir -p /export/home
5. create “readtest” user and associate the “freader” role to it..
# useradd -R freader -d /export/home/readtest -m readtest
# passwd readtest
6. Switch to “readtest” and check you are not longer root.
# su – readtest
$ id
uid=1004(readtest) gid=1(other)
7. Try to read /etc/shadow –>> fails.
9. Asume the “readtest” role and see whether you can now read /etc/shadow..
$ su freader
Password:
$ id
uid=1003(freader) gid=1(other)
# cat /etc/shadow –>> works
11. Now see whether you can create a file with cat:
# cat >/export/mytest
/export/mytest: cannot create
12. Go back to readtest identity
13. Check your current privileges:
# ppriv $$
3770: sh
flags = <none>
E: basic
I: basic
P: basic
L: basic,contract_ev[…]
14. with debug mode try to find out what privilege you need to read the shadow file:
# ppriv -D -e /usr/bin/cat /etc/shadow
cat[3794]: missing privilege “file_dac_read” (euid = 1004, syscall = 225) needed at ufs_iaccess+0x12b
15. As a root user, now assign this privilege to the Shell process of the end-user:
# ppriv -s EIP+file_dac_read 3770
Now check as “readtest” user:
# ppriv $$
3770: sh
flags = <none>
E: basic,file_dac_read
I: basic,file_dac_read
P: basic,file_dac_read
L: basic,contract_event,[…]
Now you should be able to read the shadow file!
More examples of privileges
$ id
uid=1004(readtest) gid=1(other)
$ ppriv -D -e chown john
$ echo $$
3829
$ ppriv -D -e clown john
chown[3838]: missing privilege “file_chown_self”
–>> as root:
# ppriv -s EIP+file_chown_self 3829
Now as readtest – user:
$ ppriv $$
3829: -sh
flags = <none>
E: basic,file_chown_self
I: basic,file_chown_self
P: basic,file_chown_self
L: basic,contract_event,[…]
$ ppriv -D -e chown john
WORKS!
In a GlobalZone:
$ ppriv -D -e /usr/sbin/snoop
snoop[3947]: missing privilege “net_rawaccess”
As root user:
# ppriv -s EIP+net_rawaccess 3941
Now as end user:
$ ppriv -D -e /usr/sbin/snoop
WONDERFULL!
$ ppriv -D -e format
Searching for disks…format[3968]: missing privilege “file_dac_read”
# ppriv -s EIP+file_dac_read 3941
still no luck:
$ ppriv -D -e format
Searching for disks…format[3974]: missing privilege “ALL”
# ppriv -s EIPL+all 3941
–>> now it works
Let’s see wheter we can trace back which privileges are needed to start in.named as end – user:
$ ppriv -D -e /usr/sbin/in.named
dmesg tells us:
could not listen on UDP socket: permission denied
creating IPv4 interface lo0:1 failed; interface ignored
none:0: open: /etc/rndc.key: permission denied
as root:
# ppriv -S `pgrep rpcbind`
2404: /usr/sbin/rpcbind
flags = PRIV_AWARE
E: net_privaddr,proc_fork,sys_nfs
I: none
P: net_privaddr,proc_fork,sys_nfs
L: none
Assign this to the “readtest” user and see whether he can then start in.named:
NOTE: this only works with “Least – Privilege Aware” processes.
# ppriv -s EIP+net_privaddr,proc_fork,sys_nfs 3829
