1 # 2 # CDDL HEADER START 3 # 4 # The contents of this file are subject to the terms of the 5 # Common Development and Distribution License (the "License"). 6 # You may not use this file except in compliance with the License. 7 # 8 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 # or http://www.opensolaris.org/os/licensing. 10 # See the License for the specific language governing permissions 11 # and limitations under the License. 12 # 13 # When distributing Covered Code, include this CDDL HEADER in each 14 # file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 # If applicable, add the following below this CDDL HEADER, with the 16 # fields enclosed by brackets "[]" replaced with your own identifying 17 # information: Portions Copyright [yyyy] [name of copyright owner] 18 # 19 # CDDL HEADER END 20 # 21 22 # 23 # Copyright 2007 Sun Microsystems, Inc. All rights reserved. 24 # Use is subject to license terms. 25 # 26 # ident "@(#)README 1.3 07/02/07 SMI" 27 # 28 29 runwattr - Run With Attributes 30 31 This tool provides a simple interface so that test cases can 32 execute programs with any desired credential level. This 33 currently includes manipulation of the real/effective uid/gid, 34 privileges, and zone. In addition, environment variables can 35 be changed or added. 36 37 runwattr can be thought of as a "filter" on the credentials of 38 the programs run under it. In other words, invoking "runwattr 39 someutility" would have the same effect as invoking 40 "someutility" directly. However, invoking "runwattr -z 41 somezone someutility" would switch to the alternate zone while 42 preserving as much as possible of the current context. There 43 are additional options described below to alter other aspects 44 of the credential context; these can be used together in any 45 desired combination. 46 47 Usage: 48 49 runwattr [-u uid] [-U uid] [-g gid] [-G gid] 50 [-p priv_mod ...] 51 [-z zonename] 52 [-i] [-e name=value ...] 53 [-D] 54 [--] command [args ...] 55 56 The uid/gid options manipulate user and group ids: 57 -u and -g will set both the real and effective uid or gid. 58 -U and -G will set the real uid or gid only, and can also be 59 used together with -u and -g to set a real uid or gid that is 60 different from the effective uid or gid set by -u or -g. 61 62 The priv_mod syntax is: [=+-]priv_name[,priv_name]* 63 = will explicitly set the listed priv_name(s) 64 + and - will add or remove the listed priv_name(s) to 65 the current privileges. 66 67 The -z option specifies the desired zone in which to execute 68 the command. If the specified zone matches the current zone, 69 the option is ignored and no special action is taken. When 70 runwattr is invoked in the global zone, this option can be 71 used to change to a non-global zone. When runwattr is 72 invoked in a non-global zone, the only valid value for this 73 option is to specify the current zone, which would be ignored 74 as described above. 75 76 The -i and -e options manipulate environment variables. 77 By default, the current environment variables will be 78 propagated into the environment of the child process. 79 -i will clear all variables from the current environment. 80 -e can be used to add or change additional variables. 81 82 The -D option enables extra debugging information. 83 84 Installation: 85 86 Several installation alternatives are available: 87 88 1) Package Installation: 89 90 This method uses the standard STF techniques to create a 91 Solaris package, which will be installed under the base 92 directory "/opt/SUNWstc-runwattr". 93 94 Briefly, this installation is performed as follows: 95 96 # set path to STF bin directory 97 PATH=<path-to-STF>/bin/`uname -p`:$PATH 98 export PATH 99 100 # if not using teamware, define CODEMGR_WS 101 CODEMGR_WS=<path-to-workspace> 102 export CODEMGR_WS 103 104 cd ${CODEMGR_WS}/src/tools/runwattr 105 stf_build package 106 cd ${CODEMGR_WS}/packages/`uname -p` 107 pkgadd -d `pwd` SUNWstc-runwattr 108 109 To uninstall: 110 111 pkgrm SUNWstc-runwattr 112 113 2) Manual Installation: 114 115 These steps can be used if STF or a SUNWstc-runwattr 116 package are unavailable. In addition, this method 117 allows the flexibility to install runwattr in any 118 location. 119 120 The following steps will use the variable ${BASEDIR} 121 to identify the root of the installation; this can 122 be changed to any desired location. 123 124 # define location for installation 125 BASEDIR=/usr/local 126 127 # install runwattr script 128 mkdir -p ${BASEDIR}/bin 129 cp -p bin/runwattr.pl ${BASEDIR}/bin/runwattr 130 chmod +x ${BASEDIR}/bin/runwattr 131 132 # install "forcepriv" helper binaries 133 ksh -p bin/runwattr_admin.ksh \ 134 install -s ${BASEDIR}/lib/forcepriv 135 136 To uninstall: 137 138 # remove runwattr script 139 rm -f ${BASEDIR}/bin/runwattr 140 141 # remove "forcepriv" helper binaries 142 ksh -p bin/runwattr_admin.ksh \ 143 uninstall ${BASEDIR}/lib/forcepriv 144 145 3) Network installation: 146 147 This is simply a variation on the "manual" installation 148 steps described above that can be used when the main 149 runwattr script is already installed in a shared network 150 location. On the local system, only the "runwattr_admin" 151 steps from the "manual" installation method need to be 152 performed. 153 154 Because the "forcepriv" scripts are not installed in a fixed 155 location relative to the runwattr script, the environment 156 variable RUNWATTR_FORCEPRIV may be used to tell the runwattr 157 script where to find the "forcepriv" binaries. 158 159 RUNWATTR_FORCEPRIV=/usr/local/lib/forcepriv 160 export RUNWATTR_FORCEPRIV 161 runwattr_admin install -s ${RUNWATTR_FORCEPRIV} 162 # test execution steps using runwattr go here 163 runwattr_admin uninstall ${RUNWATTR_FORCEPRIV} 164 165 The runwattr and runwattr_admin scripts both acknowledge 166 the path "/var/tmp/SUNWstc-runwattr/forcepriv" as a 167 default location for the "forcepriv" binaries. If this 168 location is used, no environment variable is required 169 and the steps are simply as follows: 170 171 runwattr_admin install -s 172 # test execution steps using runwattr go here 173 runwattr_admin uninstall 174 175 RBAC alternative for forcepriv: 176 177 All of the above procedures will create a setuid/setgid 178 root binary on the system. This can then be used by any 179 system user to gain all privileges. If this is not desired, 180 RBAC can be used to restrict the utility to designated users. 181 182 1) Remove the setuid bit from the forcepriv helper binary. 183 184 If runwattr is installed via a package, this must be done 185 with a command such as the following. Be sure to replace 186 the "/opt/SUNWstc-runwattr" portion of the pathname if 187 another installation location was chosen. 188 189 chmod -s /opt/SUNWstc-runwattr/lib/forcepriv 190 191 If runwattr is installed using the "manual" or "network" 192 methods described above, simply omit the "-s" option 193 from the "runwattr_admin install" command. 194 195 2) Add entries for the runwattr tools to the system's 196 prof_attr(4) and exec_attr(4) databases. 197 198 Sample entries are provided in the "etc/security" 199 directory of this distribution. Be sure to replace 200 the "/opt/SUNWstc-runwattr" portion of the pathnames 201 in exec_attr(4) if another installation location was 202 chosen. 203 204 3) Add the "Solaris Test Collection runwattr" profile to 205 the user_attr(4) database for user accounts that are 206 authorized to use the tool. 207 208 For further details on RBAC, see the "Roles, Rights Profiles, 209 and Privileges" section of the __Solaris System Administration 210 Guide: Security Services__ and the prof_attr(4), exec_attr(4) 211 and user_attr(4) man pages. 212 213 Further details on the location of "forcepriv" helper binaries: 214 215 The "forcepriv" helper binaries are located at runwattr 216 execution time by searching for the first match against 217 the following list of locations: 218 219 1) The full path specified by the RUNWATTR_FORCEPRIV 220 environment variable, if it is set. 221 222 2) The standard path "/var/tmp/SUNWstc-runwattr/forcepriv", 223 which is the default location for "network" installations. 224 225 3) The standard path "/opt/SUNWstc-runwattr/lib/forcepriv", 226 which is the default location for "package" installations. 227 228 4) A path derived from the location of the runwattr script 229 itself. This algoritm assumes that if the runwattr script 230 is installed as /some_path_name/bin/runwattr then the 231 forcepriv binary would be /some_path_name/lib/forcepriv. 232 233 Like the runwattr script itself, copies of these binaries 234 must be created at the same location in each system zone. 235 The following commands are used to maintain these copies: 236 237 runwattr_admin install [ -z <zonename> ] [ -s ] [ <forcepriv_path> ] 238 runwattr_admin uninstall [ -z <zonename> ] [ <forcepriv_path> ] 239 240 The "install" and "uninstall" subcommands indicate whether 241 the forcepriv binaries should be created or removed. 242 243 The "-z <zonename>" option (which may be repeated) indicates 244 which system zones are manipulated during each invocation of 245 runwattr_admin. By default, when this command is used in the 246 global zone, ALL system zones are included; when used in a 247 non-global zone, only that zone is included. 248 249 The "-s" option indicates that the runwattr_admin script 250 should apply "setuid/setgid root" permissions to the forcepriv 251 binaries that are created. The invoking prcess must already 252 have super-user credentials to use this option. 253 254 The optional "<forcepriv_path>" argument may be used to 255 explicitly state the location where the forcepriv binaries 256 should be created: 257 258 1) The path given in the "<forcepriv_path>" argument is 259 always used when it is provided. 260 261 2) Otherwise, the path given in the RUNWATTR_FORCEPRIV 262 environment variable is used if it is defined. 263 264 3) Otherwise, "/var/tmp/SUNWstc-runwattr/forcepriv" is 265 used by default. 266 267 When "runwattr_admin install" is executed, a single final 268 subdirectory component of the "<forcepriv_path>" argument 269 (for example, the "SUNWstc-runwattr" directory from the 270 full path "/var/tmp/SUNWstc-runwattr/forcepriv") will be 271 created if needed. Similarly, when "runwattr_admin uninstall" 272 is executed, the final subdirectory will be removed if it 273 would otherwise be empty. 274 275 Limitations: 276 277 The restriction on movement between zones (with the -z 278 option) is imposed by the zones(5) model and applies in 279 all cases. 280 281 Modification of any attribute of a credential context which 282 has a security impact (with the -uUgGpz options) is subject 283 to the limitations described in ppriv(1) and privileges(5). 284 285 Typically, this requires that user invoking runwattr be able 286 to run the associated "forcepriv" utility with all privileges. 287 This can be achieved by the following methods: 288 289 - Installing forcepriv as a setuid/setgid 0 binary. 290 - Using RBAC profiles to asign this right to users. 291 - Invoking the runwattr utility as the super-user. 292 293 In other cases, modification of the credential context is 294 restricted to those changes that the invoking user would 295 have been able to achieve through their preexisting privilege 296 level: 297 298 - Switching zones may not be possible. 299 - Changes to uid/gid may not be possible. 300 - Privileges may only be reduced. 301 302 The -e and -i options may be used freely without limitation. 303 304 Examples: 305 306 In the following two examples, the command "zonename ; id ; 307 ppriv -S $$" is executed twice. The first invocation 308 displays the existing credential context, the second 309 shows how it is modified with runwattr: 310 311 1) From within the public zone, operating as a normal user, 312 invoke a command as a different user with additional 313 privileges: 314 315 % zonename ; id ; ppriv -S $$ 316 public 317 uid=1001(tester) gid=10(staff) 318 143968: ksh 319 flags = <none> 320 E: basic 321 I: basic 322 P: basic 323 L: zone 324 % runwattr \ 325 -u nobody -g nobody \ 326 -p +file_dac_read \ 327 'zonename ; id ; ppriv -S $$' 328 public 329 uid=60001(nobody) gid=60001(nobody) 330 144046: sh -c zonename ; id ; ppriv -S $$ 331 flags = <none> 332 E: basic,file_dac_read 333 I: basic,file_dac_read 334 P: basic,file_dac_read 335 L: zone 336 337 2) From within the global zone, operating as the super user, 338 enter the public zone and execute a command with altered 339 uid, gid, and privilege: 340 341 # zonename ; id ; ppriv -S $$ 342 global 343 uid=0(root) gid=0(root) 344 128876: ksh 345 flags = <none> 346 E: all 347 I: basic 348 P: all 349 L: all 350 # runwattr \ 351 -z public \ 352 -U tester -G staff \ 353 -u nobody -g nobody \ 354 -p -proc_info \ 355 'zonename ; id ; ppriv -S $$' 356 public 357 uid=1001(tester) gid=10(staff) euid=60001(nobody) egid=60001(nobody) 358 144109: sh -c zonename ; id ; ppriv -S $$ 359 flags = <none> 360 E: basic,!proc_info 361 I: basic,!proc_info 362 P: basic,!proc_info 363 L: zone 364 365 The following three examples show how environment variables 366 can be propagated between zones and manipulated with the 367 -e and -i options: 368 369 1) Propagating environment variables between zones 370 automatically: 371 372 # zonename 373 global 374 # MY_SPECIAL_VARIABLE=foo 375 # export MY_SPECIAL_VARIABLE 376 # zlogin public 'env | grep MY_SPECIAL_VARIABLE' 377 # runwattr -z public 'env | grep MY_SPECIAL_VARIABLE' 378 MY_SPECIAL_VARIABLE=foo 379 380 2) Using -e to set extra environment variables: 381 382 # zonename 383 global 384 # unset MY_SPECIAL_VARIABLE 385 # env | grep MY_SPECIAL_VARIABLE 386 # runwattr \ 387 -z public \ 388 -e MY_SPECIAL_VARIABLE=foo \ 389 'env | grep MY_SPECIAL_VARIABLE' 390 MY_SPECIAL_VARIABLE=foo 391 392 3) Using -i to severely limit the environment, removing 393 even those variables set automatically with zlogin(1). 394 "wc -l" is used to count the number of variables defined 395 in the global zone, set by zlogin, and left after using 396 "runwattr -i": 397 398 # zonename ; env | wc -l 399 global 400 45 401 # zlogin public 'zonename ; env | wc -l' 402 public 403 7 404 # runwattr -z public -i 'zonename ; env | wc -l' 405 public 406 0 407 408 Warnings: 409 410 This tool should only be installed on systems used for test 411 purposes, and never on a production or other sensitive system. 412 413 This tool will pass special shell environment variables 414 (such as PATH or IFS) along to the environment for the child 415 process. Make certain that this does not have unintended 416 consequences. In particular, make certain that the correct 417 child process commands are executed. 418 419 Notes: 420 421 This tool is implemented as a Perl script, with a helper binary 422 to force privileges. The helper is simply a copy of the normal 423 ppriv(1) program included in the OS. 424 425
Terms of Use |
Privacy |
Trademarks |
Copyright Policy |
Site Guidelines |
Help
Your use of this web site or any of its content or software indicates your agreement to be bound by these Terms of Use.
Copyright © 1995-2008 Sun Microsystems, Inc.