relinquishing role in start scripts
Posted: Wed Jul 15, 2009 5:04 am
Hi
I have a policy whereby root can not start dead daemons, you need to authenticate to admin role, start the daemon and then aunauthenticate from admin role. This is due to the need to first mount and later unmount crypto keys. This has sparked a few questions.
How exactly does authenticating and unauthenticating special roles work? When I am admin, do all the processes spawned by me also become admin (and processes spawned by those admin processes)?
Do logging out (I'm doing this through ssh), gradm -u and gradm -R have the same effect of removing the admin role from this process and all it's children that inherited the admin role at some point?
Is there a way to be admin, yet spawn a new process that will not inherit the special role? Something like su user -c "command" does (gradm -u -c "rundaemonrun.sh")?
The reason (if not obvious) I'm asking these questions is that at least during start up, the daemon has admin role and should it be successfully attacked during that window, the whole machine would be compromised. One obvious way to lower the risk is to make a new special role that has less privileges than admin, but this solution still has a few problems:
1. The daemon-specific configuration needs to be replicated in both the special role and daemon-specific role.
2. Durning startup, the daemon will still have a set of permissions it should not have, even though it is less than that of admin's (the setup/cleanup actions).
Another solution might be to run gradm -u right before starting the daemon and later gradm -a admin to finish the cleanup, but that is a bit more inconvenient than it needs to be.
So all in all, it can be done, but the methods I know all involve some amount of pain.
I have a policy whereby root can not start dead daemons, you need to authenticate to admin role, start the daemon and then aunauthenticate from admin role. This is due to the need to first mount and later unmount crypto keys. This has sparked a few questions.
How exactly does authenticating and unauthenticating special roles work? When I am admin, do all the processes spawned by me also become admin (and processes spawned by those admin processes)?
Do logging out (I'm doing this through ssh), gradm -u and gradm -R have the same effect of removing the admin role from this process and all it's children that inherited the admin role at some point?
Is there a way to be admin, yet spawn a new process that will not inherit the special role? Something like su user -c "command" does (gradm -u -c "rundaemonrun.sh")?
The reason (if not obvious) I'm asking these questions is that at least during start up, the daemon has admin role and should it be successfully attacked during that window, the whole machine would be compromised. One obvious way to lower the risk is to make a new special role that has less privileges than admin, but this solution still has a few problems:
1. The daemon-specific configuration needs to be replicated in both the special role and daemon-specific role.
2. Durning startup, the daemon will still have a set of permissions it should not have, even though it is less than that of admin's (the setup/cleanup actions).
Another solution might be to run gradm -u right before starting the daemon and later gradm -a admin to finish the cleanup, but that is a bit more inconvenient than it needs to be.
So all in all, it can be done, but the methods I know all involve some amount of pain.