This section provides information useful to developers producing applications that use Oracle Solaris Cluster. Developers use the Oracle Solaris Cluster API. For more information, see Chapter 3, Key Concepts for System Administrators and Application Developers, in Oracle Solaris Cluster 4.3 Concepts Guide .
The agent applications that developers create should work within the security framework of the product and consider the following security features:
Agent Callback Methods – Oracle Solaris Cluster supports a wide range of application agents, which are implemented as a set of callback methods to control starting, stopping, probing, and validation of the application. The callback methods such as Start, Stop, or Validate always execute as root. If one of these executable method files is writable by a non-root user, this creates a vulnerability in which such a non-root user can achieve an unauthorized elevation of privilege by inserting code into the callback method. Oracle Solaris Cluster checks the ownership and permissions of such callback method executables. The checking is controlled by the resource_security cluster property setting. If resource_security is set to SECURE and the method code is found to be writable by non-root, the method execution fails.
Agent methods in turn often run external programs, such as application-specific administrative commands. Agent methods should run all such external programs using a wrapper to ensure that the external program is executed with the least possible privilege. Oracle Solaris Cluster provides the application_user and resource_security properties and the scha_check_app_user API to enable data services to ensure that the application is executed securely. The scha_check_app_user command can be called in scripts to verify the username against the configured Application_user and Resource_security settings. See the scha_check_app_user(1HA ), r_properties(5), and cluster(1CL) man pages for information.
Secure Access to an Application – Some cases will require secure access to an application when you issue management or configuration commands. This secure access should be done with a credential-based method, such as the Oracle Wallet Manager. If you must supply a password, the password should be securely used and stored in an obfuscated form. For example, it should not be passed on the command line where it is visible to a user through the ps command. Oracle Solaris Cluster provides the clpstring command to enable you to create private strings that can be used to store encoded passwords securely in the cluster and retrieved when passwords must be used to perform management tasks. See the clpstring(1CL) man page for information about this command.
See the Oracle Solaris Cluster Data Services Developer’s Guide for more information about how to use these security features when developing data services.