Paul B. Henson
2008-Sep-24 03:07 UTC
[zfs-discuss] zfs allow interaction with file system privileges
So I''ve been playing with SXCE in anticipation of the release of S10U6 (which last I heard has been delayed until sometime in October :( ) seeing how I might integrate our identity management system and ZFS provisioning using a minimum privileges service account. I need to be able to create filesystems, rename them, delete them, and change various attributes (quota and whatnot). However, in addition to delegation using zfs allow, it seems permissions must be granted in the underlying file systems as well. In order to mount a new ZFS filesystem, an account needs permission to be able to create a directory in the containing filesystem. I suppose I can configure an ACL allowing such without any problem, but I also need to be able to update the ownership of the new filesystem to the appropriate account it is being created for. Another option would be to leave the filesystem owned by the service account, and create an explicit ACL for the user it was created for, but a fair number of UNIX applications aren''t really happy when a home directory is not owned by the user whose home directory it is. What would be the best way to allow the service account to chown the newly created ZFS filesystem to the appropriate user? Right now I''m tentatively thinking of making a small suid root binary only executable by the service account which would take a username and chown appropriately. Any other suggestions? -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | henson at csupomona.edu California State Polytechnic University | Pomona CA 91768
Darren J Moffat
2008-Sep-24 05:34 UTC
[zfs-discuss] zfs allow interaction with file system privileges
Paul B. Henson wrote:> What would be the best way to allow the service account to chown the newly > created ZFS filesystem to the appropriate user? Right now I''m tentatively > thinking of making a small suid root binary only executable by the service > account which would take a username and chown appropriately. > > Any other suggestions?Run the "service" with the file_chown privilege. See privileges(5), rbac(5) and if it runs as an SMF service smf_method(5). -- Darren J Moffat
Paul B. Henson
2008-Sep-30 18:46 UTC
[zfs-discuss] zfs allow interaction with file system privileges
On Tue, 23 Sep 2008, Darren J Moffat wrote:> Run the "service" with the file_chown privilege. See privileges(5), > rbac(5) and if it runs as an SMF service smf_method(5).Thanks for the pointer. After reviewing this documentation, it seems that file_chown_self is the best privilege to delegate, as the service account only needs to give away the filesystems it has created to the appropriate owner, it should never need to arbitrarily chown other things. I''m actually running a separate instance of Apache/mod_perl which exposes my ZFS management API as a web service to our central identity management server. So it does run under SMF, but I''m having trouble getting the privilege delegation to the way I need it to be. The method_credential option in the manifest only seems to apply to the initial start of the service. Apache needs to start as root, and then gives up the privileges when it spawns children. I can''t have SMF control the privileges of the initial parent Apache process or it won''t start. Started with full privileges, the parent process looks like: E: all I: basic P: all L: all And the children: flags = <none> E: basic I: basic P: basic L: all I manually ran ''ppriv -s I+file_chown_self'' on the parent Apache process, which resulted in: flags = <none> E: all I: basic,file_chown_self P: all L: all And the children: flags = <none> E: basic,file_chown_self I: basic,file_chown_self P: basic,file_chown_self L: all Which worked perfectly. Is there any syntax available for the SMF manifest that would allow starting the original process with all privileges, but configure the inheritable privileges to include the additional file_chown_self? If not, the only other option I can think of offhand is to put together a small Apache module that runs during server initialization and changes the inheritable permissions before the children are spawned. Thanks... -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | henson at csupomona.edu California State Polytechnic University | Pomona CA 91768