Whenever we install Solaris Zones, Solaris will assign some set of privileges to take care of activities that impacts overall systems that means that particular zone as well as other zones. And Solaris classifies the available privileges as
1. Default Privileges
2. Optional Privileges
3. Prohibited Privileges
- Default Privileges- which are assigned to every zone during the installation
Example: file_chown
Allows a process to change a file's owner user ID.
Allows a process to change a file's group ID to one other than the process' effective group ID or one of the process' supplemental group IDs.
Allows a process to change a file's group ID to one other than the process' effective group ID or one of the process' supplemental group IDs.
- Optional Privileges- which we have to assign manually, using the limitpriv option
Example: sys_time
Allows a process to manipulate system time using any of the appropriate system calls: stime, adjtime, ntp_adjtime and the IA specific RTC calls.
Why it is Optional?
A system with non-global zones will share one kernel for all zones (the global zone as well as all configured non-global zone). As a result there is only one date/time on the entire setup and this time is usually controlled by the global zone only. By default the privilege to change the date and time is not available inside a non-global zone and therefore the NTP service will fail to adjust the time.
The default configuration for non-global zones assumes that the time synchronization is done in the global zone and that there is no need to adjust the system time from inside a non-global zone.
If the administrator of a non-global zone is able to change the system time then these changes will affect all running zones (including the global zone) and this may be considered a security risk.
How to assign Optional Privilege to zone?
global-zone# zonecfg -z myzone info limitpriv
limitpriv:
global-zone# zonecfg -z myzone set limitpriv="default,sys_time"
global-zone# zoneadm -z myzone reboot
limitpriv:
global-zone# zonecfg -z myzone set limitpriv="default,sys_time"
global-zone# zoneadm -z myzone reboot
Once the sys_time privilege is available in the non-global zone you can continue to setup NTP as usual, i.e. configure the /etc/inet/ntp.conf file and enable the ntp service.
- Prohibited Privileges - which currently not supported to assign
global-zone# ppriv -lv myzone
contract_event
Allows a process to request critical events without limitation.
Allows a process to request reliable delivery of all events on
any event queue.
contract_observer
Allows a process to observe contract events generated by
contracts created and owned by users other than the process's
effective user ID.
Allows a process to open contract event endpoints belonging to
contracts created and owned by users other than the process's
effective user ID.
file_chown
Allows a process to change a file's owner user ID.
Allows a process to change a file's group ID to one other than
the process' effective group ID or one of the process'
supplemental group IDs.
-------------------------- SNIP ---------------------------------
contract_event
Allows a process to request critical events without limitation.
Allows a process to request reliable delivery of all events on
any event queue.
contract_observer
Allows a process to observe contract events generated by
contracts created and owned by users other than the process's
effective user ID.
Allows a process to open contract event endpoints belonging to
contracts created and owned by users other than the process's
effective user ID.
file_chown
Allows a process to change a file's owner user ID.
Allows a process to change a file's group ID to one other than
the process' effective group ID or one of the process'
supplemental group IDs.
-------------------------- SNIP ---------------------------------
| Privilege | Status | Notes |
| cpc_cpu | Optional | Access to certain cpc(3CPC) counters |
| dtrace_proc | Optional | fasttrap and pid providers; plockstat(1M) |
| dtrace_user | Optional | profile and syscall providers |
| graphics_access | Optional | ioctl(2) access to agpgart_io(7I) |
| graphics_map | Optional | mmap(2) access to agpgart_io(7I) |
| net_rawaccess | Optional in shared-IP zones. Default in exclusive-IP zones. | Raw PF_INET/PF_INET6 packet access |
| proc_clock_highres | Optional | Use of high resolution timers |
| proc_priocntl | Optional | Scheduling control; priocntl(1) |
| sys_ipc_config | Optional | Raising IPC message queue buffer size |
| sys_time | Optional | System time manipulation; xntp(1M) |
| dtrace_kernel | Prohibited | Currently unsupported |
| proc_zone | Prohibited | Currently unsupported |
| sys_config | Prohibited | Currently unsupported |
| sys_devices | Prohibited | Currently unsupported |
| sys_linkdir | Prohibited | Currently unsupported |
| sys_net_config | Prohibited | Currently unsupported |
| sys_res_config | Prohibited | Currently unsupported |
| sys_suser_compat | Prohibited | Currently unsupported |
| proc_exec | Required, Default | Used to start init(1M) |
| proc_fork | Required, Default | Used to start init(1M) |
| sys_mount | Required, Default | Needed to mount required file systems |
| sys_ip_config | Required, Default in exclusive-IP zones Prohibited in shared-IP zones | Required to boot zone and initialize IP networking in exclusive-IP zone |
| contract_event | Default | Used by contract file system |
| contract_observer | Default | Contract observation regardless of UID |
| file_chown | Default | File ownership changes |
| file_chown_self | Default | Owner/group changes for own files |
| file_dac_execute | Default | Execute access regardless of mode/ACL |
| file_dac_read | Default | Read access regardless of mode/ACL |
| file_dac_search | Default | Search access regardless of mode/ACL |
| file_dac_write | Default | Write access regardless of mode/ACL |
| file_link_any | Default | Link access regardless of owner |
| file_owner | Default | Other access regardless of owner |
| file_setid | Default | Permission changes for setid, setgid, setuid files |
| ipc_dac_read | Default | IPC read access regardless of mode |
| ipc_dac_owner | Default | IPC write access regardless of mode |
| ipc_owner | Default | IPC other access regardless of mode |
| net_icmpaccess | Default | ICMP packet access: ping(1M) |
| net_privaddr | Default | Binding to privileged ports |
| proc_audit | Default | Generation of audit records |
| proc_chroot | Default | Changing of root directory |
| proc_info | Default | Process examination |
| proc_lock_memory | Default | Locking memory; shmctl(2)and mlock(3C) If this privilege is assigned to a non-global zone by the system administrator, consider also setting the zone.max-locked-memory resource control to prevent the zone from locking all memory. |
| proc_owner | Default | Process control regardless of owner |
| proc_session | Default | Process control regardless of session |
| proc_setid | Default | Setting of user/group IDs at will |
| proc_taskid | Default | Assigning of task IDs to caller |
| sys_acct | Default | Management of accounting |
| sys_admin | Default | Simple system administration tasks |
| sys_audit | Default | Management of auditing |
| sys_nfs | Default | NFS client support |
| sys_resource | Default | Resource limit manipulation |
No comments:
Post a Comment