Today (Saturday) We will make some minor tuning adjustments to MySQL.

You may experience 2 up to 10 seconds "glitch time" when we restart MySQL. We expect to make these adjustments around 1AM Eastern Daylight Saving Time (EDT) US.


Assigning proc_owner privilege to particular user in RBAC


Login or Register to Reply

 
Thread Tools Search this Thread
# 1  
Assigning proc_owner privilege to particular user in RBAC

Hi

I need to assign proc_owner privilege to particular user through RBAC. How can I assign this privilege to user, I need help on this.
Further I need to understand if I give this proc_owner privilege to particular user, what kind of control user will get on other user or system processes which are not owned by him. What are the risks involved if we assign this privilege to user.

Regards

Last edited by hicksd8; 4 Weeks Ago at 02:50 PM.. Reason: improve readability
# 2  
Quote:
The file_chown_self and proc_owner privileges are subject to privilege escalation. The file_chown_self privilege allows a process to give away its files. The proc_owner privilege allows a process to inspect processes that the process does not own.
So the answer is: user can see all of the other processes & information & open files, etc. == yes
From: Privileges - Oracle Solaris Administration: Security Services

So, I would guess you do not want that. If in fact you do need it I'll dredge up some help. I have not even looked at this for about 3+ years....
# 3  
Hi

Thanks for your input. Yes I need help in assigning this proc_owner privilege to user along with command. I would ne nice if you can provide help on this . Further I need to understand that whether user will only get the read access or it will also have write access to kill the process or get the power to switch the process id to uid 0. Further when I am going through the link provide by you, which said that "You should have overriding security reasons for placing such powerful privilege in the inheritable set of privileges for any user,role" . Will it create any security risk if this privilege is giving only read access to all the processes in the system.
# 4  
Short answer to risk: yes. Not secure. That privilege means your power user reads the entire command line for ANY process, sometimes privileged processes get started something like this:
Code:
/path/to/foobar  jon/password

The power user can get environment variables inside the process with pargs -e, so if the secure user has a password embedded in an environment variable the power user can see it.
That power user may under some circumstances also read some of the /proc files for other processes.

Sounds like a security problem to me. You will have to be certain that nowhere are there system scripts that require passwords passed to them or have them in a login variable or an envirionment variable, for example.

This privilege would be good on a development machine, not so good on a production box.

How to assign and un-assign
Turn off for user
Code:
usermod -K 'defaultpriv=basic,!proc_info' user

Turn on for user:
Code:
usermod -K 'defaultpriv=basic,proc_info' user

The difference is just a single ! character
This User Gave Thanks to jim mcnamara For This Post:
# 5  
Hi Jim

Thanks for your input along with commands. I was looking for proc_owner priviledge to be given to user but you have given proc_info to user instead of proc_owner.

Could you let me know how proc_info differ from proc_owner in term of security if I only want to give the read permission to user to see the process of system and other users
# 6  
Quote:
The proc_owner privilege allows a process to inspect processes that the process does not own.
This is subject to privilege escalation - meaning it allows changes to some security settings for the process with proc_owner.

Privilege escalation - Wikipedia

That includes all of the information in /proc for a process, including for system processes.

May I ask what you are trying to accomplish? Sounds like you are trying to set up interactive users to monitor something.
# 7  
Hi Jim

Its a new setup where app team need to monitor the processes running by different app users from specific user id to whom I have to give proc_owner priviledge

As per my testing on my VM machine proc_info privilege by default is given to every user so I think we need to give proc_owner priviledge.

Note: User1 and user2 created before running these commands only

Code:
root@sol11:~# usermod -K 'defaultpriv=basic,proc_owner' user1
user2@sol11:/proc$ ppriv -v $$
1020:   -bash
flags = <none>
        E: dax_access,file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_session,sys_ib_info
        I: dax_access,file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_session,sys_ib_info
        P: dax_access,file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_session,sys_ib_info
        L: contract_event,contract_identity,contract_observer,cpc_cpu,dax_access,dtrace_kernel,dtrace_proc,dtrace_user,file_chown,file_chown_self,file_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_downgrade_sl,file_flag_set,file_link_any,file_owner,file_read,file_setid,file_upgrade_sl,file_write,graphics_access,graphics_map,ipc_dac_read,ipc_dac_write,ipc_owner,net_access,net_bindmlp,net_icmpaccess,net_mac_aware,net_mac_implicit,net_observability,net_privaddr,net_rawaccess,proc_audit,proc_chroot,proc_clock_highres,proc_exec,proc_fork,proc_info,proc_lock_memory,proc_owner,proc_priocntl,proc_session,proc_setid,proc_taskid,proc_zone,sys_acct,sys_admin,sys_audit,sys_config,sys_devices,sys_dl_config,sys_flow_config,sys_ib_config,sys_ib_info,sys_ip_config,sys_ipc_config,sys_iptun_config,sys_linkdir,sys_mount,sys_net_config,sys_nfs,sys_ppp_config,sys_res_bind,sys_res_config,sys_resource,sys_share,sys_smb,sys_suser_compat,sys_time,sys_trans_label,win_colormap,win_config,win_dac_read,win_dac_write,win_devices,win_dga,win_downgrade_sl,win_fontpath,win_mac_read,win_mac_write,win_selection,win_upgrade_sl
user2@sol11:/proc$
user2@sol11:/proc$
user2@sol11:/proc$ ppriv  $$
1020:   -bash
flags = <none>
        E: basic
        I: basic
        P: basic
        L: all
user2@sol11:/proc$
user1@sol11:/proc$ ppriv $$
1030:   -bash
flags = <none>
        E: basic,proc_owner
        I: basic,proc_owner
        P: basic,proc_owner
        L: all
user1@sol11:/proc$
user1@sol11:/proc$ ppriv -v $$
1030:   -bash
flags = <none>
        E: dax_access,file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_owner,proc_session,sys_ib_info
        I: dax_access,file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_owner,proc_session,sys_ib_info
        P: dax_access,file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_owner,proc_session,sys_ib_info
        L: contract_event,contract_identity,contract_observer,cpc_cpu,dax_access,dtrace_kernel,dtrace_proc,dtrace_user,file_chown,file_chown_self,file_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_downgrade_sl,file_flag_set,file_link_any,file_owner,file_read,file_setid,file_upgrade_sl,file_write,graphics_access,graphics_map,ipc_dac_read,ipc_dac_write,ipc_owner,net_access,net_bindmlp,net_icmpaccess,net_mac_aware,net_mac_implicit,net_observability,net_privaddr,net_rawaccess,proc_audit,proc_chroot,proc_clock_highres,proc_exec,proc_fork,proc_info,proc_lock_memory,proc_owner,proc_priocntl,proc_session,proc_setid,proc_taskid,proc_zone,sys_acct,sys_admin,sys_audit,sys_config,sys_devices,sys_dl_config,sys_flow_config,sys_ib_config,sys_ib_info,sys_ip_config,sys_ipc_config,sys_iptun_config,sys_linkdir,sys_mount,sys_net_config,sys_nfs,sys_ppp_config,sys_res_bind,sys_res_config,sys_resource,sys_share,sys_smb,sys_suser_compat,sys_time,sys_trans_label,win_colormap,win_config,win_dac_read,win_dac_write,win_devices,win_dga,win_downgrade_sl,win_fontpath,win_mac_read,win_mac_write,win_selection,win_upgrade_sl
user1@sol11:/proc$

--- Post updated at 12:12 AM ---

Hi Jim

My only concern is that proc_owner doesn't pose any risk other than seeing the process running by other user. If I can restrict that specific user to see only processes related to specific users on the system then it would be great.
Login or Register to Reply

|
Thread Tools Search this Thread
Search this Thread:
Advanced Search

More UNIX and Linux Forum Topics You Might Find Helpful
User Privilege
udtyuvaraj
How to assign superuser privilege to an ordinary user temporarily... AIX
1
AIX
Root privilege for user
nicktrix
Can anyone please tell how to give root privilege to a normal user in solaris 10?... Solaris
5
Solaris
Sudo user vs RBAC
saurabh84g
Hi all, What the difference between the sudo users & RBAC when the talk of effects after doing the above comes??? any differences between them ,kindly list ??... Linux
1
Linux
RBAC: create a user to shut the server
chaandana
Hi, I have created a user to shutdown the server using RBAC. Here are my steps: 1. roleadd -u 1000 -g 10 -d /home/stopsys -m stopsys 2. passwd stopsys 3. edit /etc/security/prof_attr to include: Shut:::able to shut the server: 4. modrole -P Shut stopsys 5. useradd -u 1001 -g 10 -d...... UNIX for Advanced & Expert Users
2
UNIX for Advanced & Expert Users

Featured Tech Videos