Security
The C_INIT daemon authenticates users issuing commands from the host.
The ChorusOS operating system can be configured in secure mode, where remote host access is checked through the /etc/security administration file, located on the target root file system (see security(4CC)). In addition, users' credentials may be specified in this file, overriding default C_INIT configuration values.
If an /etc/security file exists, it must have read permissions for everybody to allow C_INIT to read it with the default credentials (user identifier 0 and group identifier 0). Secure mode will then be activated. In this mode, C_INIT authenticates every command it receives from the host. Authentication will fail for two reasons:
-
The user name of the remote user which issued the rsh command is not found in the security file.
-
The remote host from which the rsh command came is not in the remote host's list of users.
In this case, a permission denied message is sent back to the host and the command is aborted.
If the authentication procedure succeeds, the user's privilege credentials (user identifier or uid, group identifier or gid and additional groups) are read from the security file. Trusted users have access to the full set of C_INIT commands.
In non-secured mode, every user is treated as a trusted user and inherits the C_INIT default credentials (uid 0 and gid 0). In this case, if the host machine has exported the file system to be mounted with the default mapping of root to nobody, it is necessary that read and execute permissions for the target executable files be given to everybody. Otherwise C_INIT will not have the right to execute the application binaries.
Another way to circumvent this problem is by inhibiting that mapping of root to nobody on the host. Please consult your system administrator about this.
- © 2010, Oracle Corporation and/or its affiliates