Solaris pfexec commands compare strange, did not thoroughly understand how to use, look at the original is a new set of rights management system, more fine-grained control over user permissions.
The development of one of the main reasons is the use of this system, you can cancel the OS comes with a command resets the suid bit. For example, to test user perform/usr/bin/sh, permission is uid = 0euid = 0, then we can use the following control strategy: Add in/etc/user_attr: test:::: type = normal; auths = solaris. *, solaris.grant; profiles = Add ATestProile in/etc/security/exec_attr: ATestProfile: suser: cmd:::/usr/bin/sh: uid = 0 euid = 0 these two changes mean: user Profile of equals test, Profile for ATestProfile ATestProfile users execute command to use suid/usr/bin/sh (suser is in this sense), and uid = 0euid = 0. One such command/usr/bin/sh can use wildcards such as * so that we can use the $ id: bash-2.03 uid = 1022 (test) gid = 1 (oter) bash-2.03 $ pfexec/usr/bin/s # id uid = 0 (root) gid = 1 (oter) # this controls the test user perform/usr/bin/sh program permissions. This mechanism is very flexible. But the system default Profile permissions system some issues, such as: bash-2.03 $ catexec_attr All: suser: cmd::: *: AuditControl: suser: cmd:::/etc/init.d/audit: euid = 0; egid = 3 AuditControl: suser: cmd:::/etc/security/bsmconv: uid = 0 AuditControl: suser: cmd:::/etc/security/bsmunconv: uid = 0 AuditControl: suser: cmd:::/usr/sbin/audit: euid = 0 AuditControl: suser: cmd:::/usr/sbin/auditconfig: euid = 0 AuditControl: suser: cmd:::/usr/sbin/auditd: uid = 0 AuditReview: suser: cmd:::/usr/sbin/auditreduce: euid = 0 AuditReview: suser: cmd:::/usr/sbin/praudit: euid = 0 AuditReview: suser: cmd:::/usr/sbin/auditstat: euid = 0 see Profile for the user can use AuditControl uid = 0 perform/etc/security/bsmconv commands, but the command is a shell program, internal use relative path to the command invocation: .... PROG=bsmconv STARTUP=/etc/security/audit_startup DEVALLOC=/etc/security/device_allocate DEVMAPS=/etc/security/device_maps TEXTDOMAIN="SUNW_OST_OSCMD" exportTEXTDOMAIN permission() { WHO=`id|cut-f1-d""`# <-----------看看这里 if[!"> $WHO"="uid=0(root)"] ten form=`gettext"%s:ERROR:youmustbesuper-usertorunthisscript." ` printf"${form}\n"$PROG exit1 i ......... If you register as a user's Profile, then this user AuditControl can be achieved through this security vulnerability root permissions. But the good news is that the system default in only one row, user_attr root:::: type = normal; auths = solaris. *, solaris.grant; profiles = All Profile as a system administrator to manage the permissions system does provide a lot of convenient size. None of the above test in Solaris8. Solaris9 still use the sleeve system.
No comments:
Post a Comment