About Apache2 with RBAC
About Apache2 with RBAC
(OP)
Hi all,
I'm trying to configure Apache2 with RBAC for reduce some privileges and run this service only with user webservd
...but the parent process (root) still exists!
my steps:
...and obviously...
What's wrong?
Any idea?
PS: sorry about my english
I'm trying to configure Apache2 with RBAC for reduce some privileges and run this service only with user webservd
...but the parent process (root) still exists!
my steps:
CODE
# svcadm -v disable -s apache2
# svccfg -s apache2
svc:/network/http:apache2> setprop start/user = astring: webservd
svc:/network/http:apache2> setprop start/group = astring: webservd
svc:/network/http:apache2> setprop start/privileges = astring: basic,!proc_session,!proc_info,!file_link_any,net_privaddr
svc:/network/http:apache2> end
# svcadm -v refresh apache2
# svcprop apache2 | grep ^start
startd/ignore_error astring core,signal
start/exec astring /lib/svc/method/http-apache2\ start
start/timeout_seconds count 60
start/type astring method
start/user astring webservd
start/group astring webservd
start/privileges astring basic,!proc_session,!proc_info,!file_link_any,net_privaddr
# svcadm -v enable -s apache2
# ps -ef | grep apache2
webservd 4205 4204 0 19:03:22 ? 0:00 /usr/apache2/bin/httpd -k start
root 4204 1 0 19:03:21 ? 0:00 /usr/apache2/bin/httpd -k start
webservd 4209 4204 0 19:03:22 ? 0:00 /usr/apache2/bin/httpd -k start
webservd 4208 4204 0 19:03:22 ? 0:00 /usr/apache2/bin/httpd -k start
webservd 4206 4204 0 19:03:22 ? 0:00 /usr/apache2/bin/httpd -k start
webservd 4207 4204 0 19:03:22 ? 0:00 /usr/apache2/bin/httpd -k start
# svccfg -s apache2
svc:/network/http:apache2> setprop start/user = astring: webservd
svc:/network/http:apache2> setprop start/group = astring: webservd
svc:/network/http:apache2> setprop start/privileges = astring: basic,!proc_session,!proc_info,!file_link_any,net_privaddr
svc:/network/http:apache2> end
# svcadm -v refresh apache2
# svcprop apache2 | grep ^start
startd/ignore_error astring core,signal
start/exec astring /lib/svc/method/http-apache2\ start
start/timeout_seconds count 60
start/type astring method
start/user astring webservd
start/group astring webservd
start/privileges astring basic,!proc_session,!proc_info,!file_link_any,net_privaddr
# svcadm -v enable -s apache2
# ps -ef | grep apache2
webservd 4205 4204 0 19:03:22 ? 0:00 /usr/apache2/bin/httpd -k start
root 4204 1 0 19:03:21 ? 0:00 /usr/apache2/bin/httpd -k start
webservd 4209 4204 0 19:03:22 ? 0:00 /usr/apache2/bin/httpd -k start
webservd 4208 4204 0 19:03:22 ? 0:00 /usr/apache2/bin/httpd -k start
webservd 4206 4204 0 19:03:22 ? 0:00 /usr/apache2/bin/httpd -k start
webservd 4207 4204 0 19:03:22 ? 0:00 /usr/apache2/bin/httpd -k start
CODE
# ppriv 4204
4204: /usr/apache2/bin/httpd -k start
flags = <none>
E: all
I: basic
P: all
L: all
4204: /usr/apache2/bin/httpd -k start
flags = <none>
E: all
I: basic
P: all
L: all
Any idea?
PS: sorry about my english
Talk To Other Members
RE: About Apache2 with RBAC
--- Now the user webservd has the ability to restart the service (with svcadm disable/restart..etc).
--- All Apache files, logs, conf., pid etc. are only owned by user webservd because I didn't created other administrative roles (like svcadm or webdev)
--- Authorizations "sunw.smf.manage.http/apache2" and "sunw.smf.modify.application.http/apache2" have been applied to user webservd
CODE
webservd 2599 2596 0 12:52:06 ? 0:00 /usr/apache2/bin/httpd -k start
webservd 2600 2596 0 12:52:06 ? 0:00 /usr/apache2/bin/httpd -k start
webservd 2597 2596 0 12:52:06 ? 0:00 /usr/apache2/bin/httpd -k start
webservd 2598 2596 0 12:52:06 ? 0:00 /usr/apache2/bin/httpd -k start
webservd 2601 2596 0 12:52:06 ? 0:00 /usr/apache2/bin/httpd -k start
webservd 2596 1 0 12:52:05 ? 0:00 /usr/apache2/bin/httpd -k start
# ppriv 2596
2596: /usr/apache2/bin/httpd -k start
flags = <none>
E: basic,!file_link_any,net_privaddr,!proc_info,!proc_session
I: basic,!file_link_any,net_privaddr,!proc_info,!proc_session
P: basic,!file_link_any,net_privaddr,!proc_info,!proc_session
L: all
# netstat -naf inet | grep '*.80'
*.80 *.* 0 0 49152 0 LISTEN