smf_security - service management facility security behavior
The configuration subsystem for the service management facility, smf(7), requires privilege to modify the configuration of a service. Privileges are granted to a user by associating the rbac(7) authorizations and profiles described below to the user through usermod command. For more information, see the usermod(8) man page.
The following authorization is used to manipulate services and service instances.
Authorized to add, delete, or modify services, service instances, or their properties, and to read protected property values.
The smf(7) configuration subsystem associates properties with each service and service instance. Related properties are grouped. Groups can represent an execution method, credential information, application data, or restarter state. The ability to create or modify property groups can cause smf(7) components to perform actions that can require operating system privilege. Accordingly, the framework requires appropriate authorization to manipulate property groups.
Each property group has a type corresponding to its purpose. The core property group types are method, dependency, framework, and application (where application is the recommended type for property groups containing application data). The following basic authorizations apply only to the core property group types:
Authorized to change values or create, delete, or modify a property group of type method.
Authorized to change values or create, delete, or modify a property group of type dependency.
Authorized to change values, read protected values, and create, delete, or modify a property group of type application.
Authorized to change values or create, delete, or modify a property group of type framework.
Authorized to add, delete, or modify services, service instances, or their properties, and to read protected property values.
Property group-specific authorization can be specified by properties contained in the property group.
Authorizations allow the addition, deletion, or modification of properties within the property group, and the retrieval of property values from the property group if protected.
Authorization to modify the configuration of a particular service is conventionally granted using the solaris.smf.value.<service> authorization.
Authorization to read protected property groups is conventionally granted using the same authorization as it is used to grant the write access, so that only those users authorized to write protected configuration values are allowed to read them.
The above authorization properties are only used if they have type astring. If an instance property group does not have one of the properties, but the instance's service has a property group of the same name with the property, its values are used.
Normally, all property values in the repository can be read by any user without explicit authorization. Property groups of non-framework types can be used to store properties with values that require protection. They must not be revealed except upon proper authorization. A property group's status as protected is indicated by the presence of a string-valued read_authorization property. If this property is present, the values of all properties in the property group is retrievable only as described in Property Group Authorizations.
Administrative domains with policies that prohibit backup of data considered sensitive should exclude the SMF repository databases from their backups. In the face of such a policy, non-protected property values can be backed up by using the svccfg(8) archive command to create an archive of the repository without protected property values.
Certain actions on service instances can result in service interruption or deactivation. These actions require an authorization to ensure that any denial of service is a deliberate administrative action. Such actions include a request for execution of the refresh or restart methods, or placement of a service instance in the maintenance or other non-operational state. The following authorization allows such actions to be requested:
Authorization to enable, disable, restart, refresh, or administer a particular service is conventionally granted using the solaris.smf.manage.<service> authorization.
In addition, the general/action_authorization property can specify additional authorizations that permit service actions to be requested for that service instance. The solaris.smf.manage authorization is required to modify this property.
Two rights profiles are included that offer grouped authorizations for manipulating typical smf(7) operations.
A service manager can manipulate any service in the repository in any way. It corresponds to the solaris.smf.manage and solaris.smf.modify authorizations.
The service management profile is the minimum required to use the pkg command to add or remove software packages that contain an inventory of services in its service manifest.
A service operator has the ability to enable or disable any service instance on the system, as well as request that its restart or refresh method be executed. It corresponds to the solaris.smf.manage and solaris.smf.modify.framework authorizations.
Sites can define additional rights profiles customized to their needs.
Remote repository servers can deny modification attempts due to additional privilege checks. See NOTES.
Adding the following line to /etc/user_attr allows the user “johndoe” to restart, enable, disable or other state modification of system/cron service without becoming root.
usermod -A +solaris.smf.manage.cronExample 2 Allow user to modify any property on any service and modify system/cron services without becoming root.
Adding the following line to /etc/user_attr allows the user “janedoe” to modify any property on any service, and restart, enable, disable or other state modification of system/cron service without becoming root.
usermod -A +auths=solaris.smf.modify,solaris.smf.manage.cron janedoe
auths(1), profiles(1), prof_attr(5), user_attr(5), rbac(7), smf(7), svccfg(8), usermod(8)
The present version of smf(7) does not support remote repositories.
When a service is configured to be started as root but with privileges different from limit_privileges, the resulting process is privilege aware. This can be surprising to developers who expect seteuid(<non-zero UID>) to reduce privileges to basic or less.