Assigning proc_owner privilege to particular user in RBAC


 
Thread Tools Search this Thread
Operating Systems Solaris Assigning proc_owner privilege to particular user in RBAC
# 1  
Old 06-16-2019
Assigning proc_owner privilege to particular user in RBAC

Hi

I need to assign proc_owner privilege to particular user through RBAC. How can I assign this privilege to user, I need help on this.
Further I need to understand if I give this proc_owner privilege to particular user, what kind of control user will get on other user or system processes which are not owned by him. What are the risks involved if we assign this privilege to user.

Regards

Last edited by hicksd8; 06-16-2019 at 02:50 PM.. Reason: improve readability
# 2  
Old 06-16-2019
Quote:
The file_chown_self and proc_owner privileges are subject to privilege escalation. The file_chown_self privilege allows a process to give away its files. The proc_owner privilege allows a process to inspect processes that the process does not own.
So the answer is: user can see all of the other processes & information & open files, etc. == yes
From: Privileges - Oracle Solaris Administration: Security Services

So, I would guess you do not want that. If in fact you do need it I'll dredge up some help. I have not even looked at this for about 3+ years....
# 3  
Old 06-17-2019
Hi

Thanks for your input. Yes I need help in assigning this proc_owner privilege to user along with command. I would ne nice if you can provide help on this . Further I need to understand that whether user will only get the read access or it will also have write access to kill the process or get the power to switch the process id to uid 0. Further when I am going through the link provide by you, which said that "You should have overriding security reasons for placing such powerful privilege in the inheritable set of privileges for any user,role" . Will it create any security risk if this privilege is giving only read access to all the processes in the system.
# 4  
Old 06-17-2019
Short answer to risk: yes. Not secure. That privilege means your power user reads the entire command line for ANY process, sometimes privileged processes get started something like this:
Code:
/path/to/foobar  jon/password

The power user can get environment variables inside the process with pargs -e, so if the secure user has a password embedded in an environment variable the power user can see it.
That power user may under some circumstances also read some of the /proc files for other processes.

Sounds like a security problem to me. You will have to be certain that nowhere are there system scripts that require passwords passed to them or have them in a login variable or an envirionment variable, for example.

This privilege would be good on a development machine, not so good on a production box.

How to assign and un-assign
Turn off for user
Code:
usermod -K 'defaultpriv=basic,!proc_info' user

Turn on for user:
Code:
usermod -K 'defaultpriv=basic,proc_info' user

The difference is just a single ! character
This User Gave Thanks to jim mcnamara For This Post:
# 5  
Old 06-18-2019
Hi Jim

Thanks for your input along with commands. I was looking for proc_owner priviledge to be given to user but you have given proc_info to user instead of proc_owner.

Could you let me know how proc_info differ from proc_owner in term of security if I only want to give the read permission to user to see the process of system and other users
# 6  
Old 06-18-2019
Quote:
The proc_owner privilege allows a process to inspect processes that the process does not own.
This is subject to privilege escalation - meaning it allows changes to some security settings for the process with proc_owner.

Privilege escalation - Wikipedia

That includes all of the information in /proc for a process, including for system processes.

May I ask what you are trying to accomplish? Sounds like you are trying to set up interactive users to monitor something.
# 7  
Old 06-19-2019
Hi Jim

Its a new setup where app team need to monitor the processes running by different app users from specific user id to whom I have to give proc_owner priviledge

As per my testing on my VM machine proc_info privilege by default is given to every user so I think we need to give proc_owner priviledge.

Note: User1 and user2 created before running these commands only

Code:
root@sol11:~# usermod -K 'defaultpriv=basic,proc_owner' user1
user2@sol11:/proc$ ppriv -v $$
1020:   -bash
flags = <none>
        E: dax_access,file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_session,sys_ib_info
        I: dax_access,file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_session,sys_ib_info
        P: dax_access,file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_session,sys_ib_info
        L: contract_event,contract_identity,contract_observer,cpc_cpu,dax_access,dtrace_kernel,dtrace_proc,dtrace_user,file_chown,file_chown_self,file_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_downgrade_sl,file_flag_set,file_link_any,file_owner,file_read,file_setid,file_upgrade_sl,file_write,graphics_access,graphics_map,ipc_dac_read,ipc_dac_write,ipc_owner,net_access,net_bindmlp,net_icmpaccess,net_mac_aware,net_mac_implicit,net_observability,net_privaddr,net_rawaccess,proc_audit,proc_chroot,proc_clock_highres,proc_exec,proc_fork,proc_info,proc_lock_memory,proc_owner,proc_priocntl,proc_session,proc_setid,proc_taskid,proc_zone,sys_acct,sys_admin,sys_audit,sys_config,sys_devices,sys_dl_config,sys_flow_config,sys_ib_config,sys_ib_info,sys_ip_config,sys_ipc_config,sys_iptun_config,sys_linkdir,sys_mount,sys_net_config,sys_nfs,sys_ppp_config,sys_res_bind,sys_res_config,sys_resource,sys_share,sys_smb,sys_suser_compat,sys_time,sys_trans_label,win_colormap,win_config,win_dac_read,win_dac_write,win_devices,win_dga,win_downgrade_sl,win_fontpath,win_mac_read,win_mac_write,win_selection,win_upgrade_sl
user2@sol11:/proc$
user2@sol11:/proc$
user2@sol11:/proc$ ppriv  $$
1020:   -bash
flags = <none>
        E: basic
        I: basic
        P: basic
        L: all
user2@sol11:/proc$
user1@sol11:/proc$ ppriv $$
1030:   -bash
flags = <none>
        E: basic,proc_owner
        I: basic,proc_owner
        P: basic,proc_owner
        L: all
user1@sol11:/proc$
user1@sol11:/proc$ ppriv -v $$
1030:   -bash
flags = <none>
        E: dax_access,file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_owner,proc_session,sys_ib_info
        I: dax_access,file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_owner,proc_session,sys_ib_info
        P: dax_access,file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_owner,proc_session,sys_ib_info
        L: contract_event,contract_identity,contract_observer,cpc_cpu,dax_access,dtrace_kernel,dtrace_proc,dtrace_user,file_chown,file_chown_self,file_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_downgrade_sl,file_flag_set,file_link_any,file_owner,file_read,file_setid,file_upgrade_sl,file_write,graphics_access,graphics_map,ipc_dac_read,ipc_dac_write,ipc_owner,net_access,net_bindmlp,net_icmpaccess,net_mac_aware,net_mac_implicit,net_observability,net_privaddr,net_rawaccess,proc_audit,proc_chroot,proc_clock_highres,proc_exec,proc_fork,proc_info,proc_lock_memory,proc_owner,proc_priocntl,proc_session,proc_setid,proc_taskid,proc_zone,sys_acct,sys_admin,sys_audit,sys_config,sys_devices,sys_dl_config,sys_flow_config,sys_ib_config,sys_ib_info,sys_ip_config,sys_ipc_config,sys_iptun_config,sys_linkdir,sys_mount,sys_net_config,sys_nfs,sys_ppp_config,sys_res_bind,sys_res_config,sys_resource,sys_share,sys_smb,sys_suser_compat,sys_time,sys_trans_label,win_colormap,win_config,win_dac_read,win_dac_write,win_devices,win_dga,win_downgrade_sl,win_fontpath,win_mac_read,win_mac_write,win_selection,win_upgrade_sl
user1@sol11:/proc$

--- Post updated at 12:12 AM ---

Hi Jim

My only concern is that proc_owner doesn't pose any risk other than seeing the process running by other user. If I can restrict that specific user to see only processes related to specific users on the system then it would be great.
Login or Register to Ask a Question

Previous Thread | Next Thread

9 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Create user with different privilege

Hi , I want to create 3 different user with below privilege in Solaris and Linux. 1) Read Only 2)Read and Write Only 3) Admin user Can you guys help me on this . (3 Replies)
Discussion started by: Naveen Pathak
3 Replies

2. AIX

sudo - User privilege specification

I am planning to implement sudo for users. Under , it looks I have to put the users who need to have sudo access: What are the recommended for users? I don't think I need to give the ALL privilege (i.e ) to AIX users. I'd like to know the commonly used privilege specification for sudo... (9 Replies)
Discussion started by: Daniel Gate
9 Replies

3. AIX

User Privilege

How to assign superuser privilege to an ordinary user temporarily (1 Reply)
Discussion started by: udtyuvaraj
1 Replies

4. UNIX for Dummies Questions & Answers

How to create/restrict a user with to have no privilege from other group

Hello experts I am new to Unix. Env : HPUX I need to create a user say testuser such that it does not have access to file/directories from the other group i.e the last 3 digits . How do I do that. Reason for such a request :- I have an existing user oracle which has default umask... (3 Replies)
Discussion started by: simonsimon
3 Replies

5. Solaris

Root privilege for user

Can anyone please tell how to give root privilege to a normal user in solaris 10? (5 Replies)
Discussion started by: nicktrix
5 Replies

6. Linux

Sudo user vs RBAC

Hi all, What the difference between the sudo users & RBAC when the talk of effects after doing the above comes??? any differences between them ,kindly list ?? (1 Reply)
Discussion started by: saurabh84g
1 Replies

7. AIX

[Help] Give privilege to an ordinary user

I'm trying to give a non-root user the right to start IBM HTTP Server, the web server is listening on port 80, but for AIX, ports under 1024 are privilege ports which can be used only by root. /usr/IBMIHS/bin# ./apachectl start (13)Permission denied: make_sock: could not bind to address :::80... (1 Reply)
Discussion started by: ibmer414
1 Replies

8. UNIX for Advanced & Expert Users

RBAC: create a user to shut the server

Hi, I have created a user to shutdown the server using RBAC. Here are my steps: 1. roleadd -u 1000 -g 10 -d /home/stopsys -m stopsys 2. passwd stopsys 3. edit /etc/security/prof_attr to include: Shut:::able to shut the server: 4. modrole -P Shut stopsys 5. useradd -u 1001 -g 10 -d... (2 Replies)
Discussion started by: chaandana
2 Replies

9. UNIX for Dummies Questions & Answers

Write privilege for user

Is it possible to grant write privileges to a user on a directory with out having to add the user to a group or make the user the owner of the directory? My background is in Windows and in Windows you can grant specific privileges to a user without having to put the user in a group or making the... (3 Replies)
Discussion started by: here2learn
3 Replies
Login or Register to Ask a Question