Go to main content

Securing Users and Processes in Oracle® Solaris 11.4

Exit Print View

Updated: September 2018
 
 

Users Locking Down the Applications That They Run

Users can remove basic privileges from applications by using extended privilege policy. The policy prevents access to directories that the applications should not access.


Note -  Order is important. Broader privileges for directories such as $HOME/Download* must be assigned after narrower privileges for most $HOME/.* directories.
Example 42  Running a Browser in a Protected Environment

This example illustrates how users can run the Firefox browser in a protected environment. In this configuration, the user's Documents directory is hidden from Firefox.

By using the following command, the user removes basic privileges from the /usr/bin/firefox command. The extended privilege arguments to the ppriv -r command limit the browser to reading and writing in only the directories that the user specifies. The –e option and its arguments open the browser with the extended privilege policy.

$ ppriv -r "\
{file_read}:/dev/*,\
{file_read}:/etc/*,\
{file_read}:/lib/*,\
{file_read}:/usr/*,\
{file_read}:/var/*,\
{file_read}:/proc,\
{file_read}:/proc/*,\
{file_read}:/system/volatile/*,\
{file_write}:$HOME,\
{file_read}:$HOME/.*,\
{file_read,file_write}:$HOME/.mozill*,\
{file_read,file_write}:$HOME/.gnome*,\
{file_read,file_write}:$HOME/Downloa*,\
{file_read,file_write}:/tmp,\
{file_read,file_write}:/tmp/*,\
{file_read,file_write}:/var/tmp,\
{file_read,file_write}:/var/tmp/*,\
{proc_exec}:/usr/*\
" -e /usr/bin/firefox file:///$HOME/Desktop

When the file_read and file_write privileges are used in an extended policy, you must grant explicit access to every file that should be read or written. The use of the wildcard character, *, is essential in such policies.

To handle automounted home directories, the user would add an explicit entry for the automount path, for example:

{file_read,file_write}:/export/home/$USER

If the site is not using the automount facility, the initial list of protected directories is sufficient.

Users can automate this command-line protected browser by creating a shell script. Then, to launch a browser, the user calls the script, not the /usr/bin/firefox command.

Example 43  Protecting Directories on Your System From Application Processes

In this example, a regular user creates a sandbox for applications by using a shell script wrapper. The first part of the script limits applications to certain directories. Exceptions, such as Firefox, are handled later in the script. Comments about parts of the script follow the script.

1 #!/bin/bash
2 
3 # Using bash because ksh misinterprets extended policy syntax
4 
5 PATH=/usr/bin:/usr/sbin:/usr/gnu/bin
6 
7 DENY=file_read,file_write,proc_exec,proc_info
8 
9 SANDBOX="\
10 {file_read}:/dev/*,\
11 {file_read}:/etc/*,\
12 {file_read}:/lib/*,\
13 {file_read,file_write}:/usr/*,\
14 {file_read}:/proc,\
15 {file_read,file_write}:/proc/*,\
16 {file_read}:/system/volatile/*,\
17 {file_read,file_write}:/tmp,\
18 {file_read,file_write}:/tmp/*,\
19 {file_read,file_write}:/var/*,\
20 {file_write}:$HOME,\
21 {file_read}:$HOME/.*,\
22 {file_read,file_write}:$PWD,\
23 {file_read,file_write}:$PWD/*,\
24 {proc_exec}:/usr/*\
25 "
26 
27 # Default program is restricted bash shell
28 
29 if [[ ! -n $1 ]]; then
30     program="/usr/bin/bash --login --noprofile
        --restricted"
31 else
32     program="$@"
33 fi
34 
35 
36 # Firefox needs more file and network access
37 if [[ "$program" =~ firefox ]]; then
38     SANDBOX+=",\
39 {file_read,file_write}:$HOME/.gnome*,\
40 {file_read,file_write}:$HOME/.mozill*,\
41 {file_read,file_write}:$HOME/.dbu*,\
42 {file_read,file_write}:$HOME/.puls*\
43 "
44 
45 else
46     DENY+=",net_access"
47 fi
48 
49 echo Starting $program in sandbox
50 ppriv -s I-$DENY -r $SANDBOX -De $program

The policy can be adjusted to permit specific applications more or less access. One adjustment is in lines 38-42, where Firefox is granted write access to several dot files that maintain session information in the user's home directory. Also, Firefox is not subject to line 46, which removes network access. However, Firefox is still restricted from reading arbitrary files in the user's home directory, and can save files only in its current directory.

As an extra level of protection, the default program, at line 30, is a restricted Bash shell. A restricted shell cannot change its current directory or execute the user's dot files. Therefore, any commands that are started from this shell are similarly locked into the sandbox.

In the final line of the script the ppriv command is passed two privilege sets as shell variables, $DENY and $SANDBOX.

The first set, $DENY, prevents the process from reading or writing any file, executing any subprocess, observing other user's processes, and (conditionally) accessing the network. These restrictions are too severe, so in the second set, $SANDBOX, the policy is refined by enumerating the directories which are available for reading, writing, and executing.

Also, in line 50 the debug option, –D, is specified. Access failures display in the terminal window in real time and include the named object and the corresponding privilege that is required for success. This debugging information can help the user customize the policy for other applications.