|
Softpanorama |
May the source be with you, but remember the KISS principle ;-)
|
When a user runs the su command to assume a role, profile shells launch from within the parent shell. There are only three profile shells in Solaris: pfsh, pfcsh, and pfksh. These profile shells are actually the hardlinks to Solaris Bourne shell (sh), Solaris C shell (csh), and Solaris Korn shell (ksh), respectively.
A profile shell is a hardlink to a regualar Solaris shells that enables checking privileges that are assigned to the role. In other words, the shell and the profile shell are hardlinked and have the same inode number. You can check this using commands "ls -i /usr/bin/sh /usr/bin/pfsh" or "ls -i /usr/bin/ksh /usr/bin/pfksh". The standard UNIX (tcsh) and Linux shells (bash) are not aware of the RBAC database. That means that bash cannot be used as a profile shell.
Before executing any command, the profile shell checks the role’s profile and commands associated with this profile. If the same command appears in more than one profile, the profile shell uses the first matching entry.
The pfexec command executes the command with the attributes specified in the database. It looks like pfexec can be used as a substitute to sudo prefix (pfksh, pfsh and pfexec share the same man page:
The pfexec program is used to execute commands with the attributes specified by the user's profiles in the exec_attr(4) database. It is invoked by the profile shells, pfsh, pfcsh, and pfksh which are linked to the Bourne shell, C shell, and Korn shell, respectively.
Profiles are searched in the order specified in the user's entry in the user_attr(4) database. If the same command appears in more than one profile, the profile shell uses the first matching entry.
The second form, pfexec -P privspec, allows a user to obtain the additional privileges awarded to the user's profiles in prof_attr(4). The privileges specification on the commands line is parsed using priv_str_to_set(3C). The resulting privileges are intersected with the union of the privileges specified using the "privs" keyword in prof_attr(4) for all the user's profiles and added to the inheritable set before executing the command.
Naturally as any additional level of complexity this introduces new type of vulnerabilities, for example:
Sun Solaris 8 and 9: CVE reference: CAN-2004-1394
Sun has reported a vulnerability in Solaris, which can be exploited by malicious, local users to gain escalated privileges. The pfexec program may reportedly execute "profile" commands with additional privileges if the execution profiles database contains an invalid entry for a user's custom rights profile. Patches exist for Solaris 8 and Solaris 9
Copyright © 1996-2008 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
Standard disclaimer: The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.
Last modified: February 28, 2008