zfs discuss - Sep 2008 - zfs allow interaction with file system privileges

So I''ve been playing with SXCE in anticipation of the release of S10U6
(which last I heard has been delayed until sometime in October :( ) seeing
how I might integrate our identity management system and ZFS provisioning
using a minimum privileges service account.

I need to be able to create filesystems, rename them, delete them, and
change various attributes (quota and whatnot).

However, in addition to delegation using zfs allow, it seems permissions
must be granted in the underlying file systems as well. In order to mount a
new ZFS filesystem, an account needs permission to be able to create a
directory in the containing filesystem.

I suppose I can configure an ACL allowing such without any problem, but I
also need to be able to update the ownership of the new filesystem to the
appropriate account it is being created for. Another option would be to
leave the filesystem owned by the service account, and create an explicit
ACL for the user it was created for, but a fair number of UNIX applications
aren''t really happy when a home directory is not owned by the user
whose
home directory it is.

What would be the best way to allow the service account to chown the newly
created ZFS filesystem to the appropriate user? Right now I''m
tentatively
thinking of making a small suid root binary only executable by the service
account which would take a username and chown appropriately.

Any other suggestions?


-- 
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  henson at csupomona.edu
California State Polytechnic University  |  Pomona CA 91768

Paul B. Henson wrote:
> What would be the best way to allow the service account to chown the newly
> created ZFS filesystem to the appropriate user? Right now I''m
tentatively
> thinking of making a small suid root binary only executable by the service
> account which would take a username and chown appropriately.
> 
> Any other suggestions?
Run the "service" with the file_chown privilege.  See privileges(5), 
rbac(5) and if it runs as an SMF service smf_method(5).

--
Darren J Moffat

On Tue, 23 Sep 2008, Darren J Moffat wrote:
> Run the "service" with the file_chown privilege.  See
privileges(5),
> rbac(5) and if it runs as an SMF service smf_method(5).
Thanks for the pointer. After reviewing this documentation, it seems that
file_chown_self is the best privilege to delegate, as the service account
only needs to give away the filesystems it has created to the appropriate
owner, it should never need to arbitrarily chown other things.

I''m actually running a separate instance of Apache/mod_perl which
exposes
my ZFS management API as a web service to our central identity management
server. So it does run under SMF, but I''m having trouble getting the
privilege delegation to the way I need it to be.

The method_credential option in the manifest only seems to apply to the
initial start of the service. Apache needs to start as root, and then gives
up the privileges when it spawns children. I can''t have SMF control the
privileges of the initial parent Apache process or it won''t start.

Started with full privileges, the parent process looks like:

        E: all
        I: basic
        P: all
        L: all

And the children:

flags = <none>
        E: basic
        I: basic
        P: basic
        L: all

I manually ran ''ppriv -s I+file_chown_self'' on the parent
Apache process,
which resulted in:

flags = <none>
        E: all
        I: basic,file_chown_self
        P: all
        L: all

And the children:

flags = <none>
        E: basic,file_chown_self
        I: basic,file_chown_self
        P: basic,file_chown_self
        L: all


Which worked perfectly. Is there any syntax available for the SMF manifest
that would allow starting the original process with all privileges, but
configure the inheritable privileges to include the additional
file_chown_self?

If not, the only other option I can think of offhand is to put together a
small Apache module that runs during server initialization and changes the
inheritable permissions before the children are spawned.

Thanks...


-- 
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  henson at csupomona.edu
California State Polytechnic University  |  Pomona CA 91768