Friday, 23 January 2009

Delegating root privileges with RBAC

Operating System: Solaris 8/9/10
Related software: Websphere, IBM IHS, Apache, EdgeSuite Testing Server, etc.

The default HTTP port is always 80, which causes a problem on Unix servers. All ports less than 1024 are privileged, and only root can bind processes to them.

Since webservers therefore frequently have to be run as root, this can lead to a conflict between development teams (for example), who might want to start and stop Apache with impunity, and Systems Administrators, who might object to giving out the root password, or being bombarded with requests to stop and start the webserver.

There are a number of ways to devolve root authority to individual users, not least sudo, but on Solaris the preferred method (mine, at least) is RBAC.

RBAC (Role-Based Access Control) is a long and complicated topic - so let's just focus on what you need to do to safely devolve the root authority.

First we create an authority for the delegation of control, called org.apache.httpd.control by editing the /etc/security/auth_attr file to contain the following line:

org.apache.httpd.control:::Control Apache webserver::help=RtApache.html

The RtApache.html part refers to a helpfile held in the directory /usr/lib/help/profiles/locale/C - you can choose to create this file or not, as you choose.

Second we create a profile for this delegation of control, ApacheCTL, by editing the /etc/security/prof_attr file to contain the following line:

ApacheCTL:::Permit stop and start of Apache webserver:help=RtApache.html;auths=org.apache.httpd.control

Third we must create two entries in /etc/security/exec_attr, corresponding to the commands that we wish to run as root:


Next, assuming that we have a user ppetrelli, we must edit the /etc/user_attr file to include a line for ppetrelli as follows (or to edit the ppetrelli line to reflect the following):


Finally, we must change the default login shell for ppetrelli so that it uses one of the profile checking shells pfksh, pfcsh or pfsh. These are identical to ksh, csh or sh, with the additional feature that they check the RBAC profiles and can devolve root authority as described. This should be done by editing the /etc/passwd file.

It may also be necessary to change the first line of /usr/local/apache/bin/apachectl to also use this new shell - so change #!/bin/sh to #!/bin/pfsh - but often this is not required.

This will now allow ppetrelli to stop and start apache using his own user account. Only the two commands apachectl and httpd are run as root.

No comments: