Thursday, August 20, 2009

The mysteries of pfexec

I was trying to work out a way of checking my firewall rules without having to su to root. The answer was the mysterious RBAC. It's something I've spent most of my professional life avoiding but in reality it is not the nightmare it pretends to be. Anyway, here's my cookbook for this one;


If I ran the command as myself, this is the output;
$ ipfstat -io
open(IPSTATE_NAME): Permission denied


So, the first thing to do is to work out what privileges are required;
$ ppriv -De ipfstat -io
ipfstat[24104]: missing privilege "sys_ip_config" (euid = 100, syscall = 5) for "devpolicy" needed at spec_open+0x100
open(IPSTATE_NAME): Permission denied


Next, check which profiles are set up with these permissions;
# grep sys_ip_config /etc/security/exec_attr
IP Filter Management:solaris:cmd:::/usr/sbin/ipf:privs=sys_ip_config
IP Filter Management:solaris:cmd:::/usr/sbin/ipfs:privs=sys_ip_config
IP Filter Management:solaris:cmd:::/usr/sbin/ipfstat:privs=sys_ip_config;gid=sys
IP Filter Management:solaris:cmd:::/usr/sbin/ipmon:privs=sys_ip_config
IP Filter Management:solaris:cmd:::/usr/sbin/ipnat:privs=sys_ip_config;gid=sys
IP Filter Management:solaris:cmd:::/usr/sbin/ippool:privs=sys_ip_config;gid=sys
Network IPsec Management:solaris:cmd:::/usr/sbin/ipsecalgs:privs=sys_ip_config
Network IPsec Management:solaris:cmd:::/usr/sbin/ipsecconf:euid=0;privs=sys_ip_config
Network IPsec Management:solaris:cmd:::/usr/sbin/ipseckey:uid=0;privs=sys_ip_config
Network Management:solaris:cmd:::/sbin/route:privs=sys_ip_config
Network Management:solaris:cmd:::/sbin/routeadm:euid=0; privs=proc_chroot,proc_owner,sys_ip_config


IP Filter Management has the access and a suitable name, so now we just assign this profile to my user;
# usermod -P "IP Filter Management" fred


We have a new entry in /etc/user_attr now;
# tail /etc/user_attr;
fred::::type=normal;profiles=IP Filter Management


Log in as my user and test;
$ ipfstat -io
open(IPSTATE_NAME): Permission denied

$ pfexec ipfstat -io | less
pass out on nge0 from any to any keep state
block in on nge0 all
.
.
.

Sorted.
Posted by Blue Atom at Thursday, August 20, 2009
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)